HHS OCR’s Phase II of HIPAA Compliance Audits

The HIPAA Information Security Assurance Conference was held in Washington, DC by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) on September 2nd & 3rd of 2015. The conference started with an opening speech given by OCR Director Jocelyn Samuels. She discussed a number of initiatives on which the agency is currently focusing, including the updates on the PHASE II of Nationwide HIPAA Compliance Audit Program. While talking of the long anticipated program, Director Samuels said that “the audits are coming”, calling it a critical and long needed change necessary to help prevent breaches and increase the level of HIPAA compliance among health care providers in the United States. In her speech, Director Samuels also noted that Office of Civil Rights (OCR) is in the final stages of selecting a third party vendor to conduct audits of HIPAA covered entities and business associates using a protocol developed by the agency. She further explained that the audit program would be conducted primarily through desk audits, but there are also plans to conduct on-site audits in the future as well. Details on the number of organizations to be audited or the date when the audits are scheduled to begin were not revealed.

The presentation given by Director Samuels served as a confirmation for many covered entities in the US that OCR is committed to its long awaited Phase II of HIPAA Compliance Audit Program. It must be noted however, that one of the major changes in approach of the original plan that were discussed is the fact that OCR is planning on using outside contractors to perform the work. Other notable factors discussed were the value of using the audit protocol developed as a tool for organizations to enhance their current compliance state as well as to prepare for their selection process in the upcoming OCR initiative.

On September 3rd more details of the random audits were revealed. OCR finalized a contract with an outside vendor, FCi Federal, to manage the audit program using subcontractors to perform the engagements. The contract award to FCi is valued at $769,000 and the task order calls for the services to be performed between September 2015 and the end of 2016. “We are hard at work on the next phase (of audits), and I know you’ve heard that a lot, but it’s coming,” OCR Director Samuels said Wednesday at the conference. “Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and our technical assistance to ensure that we’re addressing the most common problems.” It is anticipated OCR will have approximately 200 desk audits and 24 on-site audits conducted by this contractor.

OCR made it clear that they are serious about compliance and enforcement of noncompliance by announcing its most recent settlement to coincide with the opening speech given by Director Samuels. Cancer Care Group was issued a $750,000 HIPAA settlement that emphasizes the importance of risk analysis and device and media control policies. They were also given a robust correction action plan to correct its deficiencies of HIPAA compliance.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Some of the other updates from OCR included:

  • Guidance on individual’s right to access is forthcoming in October, which Samuels called, “a fundamental right”.
  • OCR is developing guidance on HIPAA compliance when using cloud technology that is slated to be available this fall.
  • OCR is updating its web portal for software developers.

Over the two days, OCR made clear is that it is focused on risk assessments, risk management, breach and HIPAA enforcement. All of the movement with the HIPAA compliance audit program and enforcement activity demonstrates that OCR is back to running on all cylinders and aims to ramp up its efforts to root out organizations that demonstrate significant non-compliance with the health information privacy and security standards.