The new round of HIPAA audits expected to start this fall has been delayed. The announcement was made by Linda Sanches, a senior adviser for the Office for Civil Rights (“OCR”) at the Department of Health and Human Services, while speaking at the Health Information and Management Systems Society’s (HIMSS) Privacy and Security Forum. In a theme somewhat common from recent government initiatives, the delay is caused by a web portal not being ready.
The newest round of HIPAA audits follows a pilot program that occurred in 2012. The pilot audits were conducted by an outside vendor and reviewed 115 covered entities. At that time, no penalties or other adverse consequences could result from the audits. Instead, the pilot audits were intended to assess the status of HIPAA compliance overall within the industry. Unfortunately, the early audits did not reveal any trends that could allow covered entities as a whole to learn what actions were necessary. Instead, the pilot audits revealed non-compliance across the entire HIPAA spectrum. As such, the pilot audits did serve as a red flag that covered entities and business associates needed to develop and implement all required HIPAA policies and procedures.
With that backdrop, OCR’s new round of audits may present challenges to covered entities and business associates. However, OCR has been ample warning that the audits are coming and even announced a pre-survey back in February 2014. That step now seems closer, though as indicated above, delayed.
When the audits do finally begin, covered entities will be the only initial targets. OCR intends to select covered entities from across the country as well as a good assortment of types of covered entities. Selections will be made randomly from a national provider index database.
Even though covered entities will be the initial subjects of the audits, business associates are not off the hook. Part of the survey process will include a requirement that covered entities identify and list out every single business associate of that covered entity. OCR will in turn use that list to select business associates when the audits are expanded.
The next question is what will the audits look like? According to Sanches, OCR is revising its initial plans. At first, OCR intended to audit approximately 400 covered entities through desk audits. That number is being pared back to less than 200, which may reflect concerns about the ability to handle an influx of documents. If the web portal proves effective, then it may be reasonable to expect an expansion of the number of desk audits. The desk audits will be very targeted in their scope and designed to cover specific compliance issues. As a result of the reduced number of desk audits, OCR will increase the number of on-site audits. The on-site audits, as would be expected, will be more comprehensive.
What should covered entities and business associates do to prepare? Proactively reviewing and assessing all HIPAA policies and procedures is more than advised. One area of particular importance will be the risk analysis. OCR feels that risk analyses have been severely deficient and will expect to see that a robust analysis took place. The risk analysis forms the backbone for a good security plan, which is an issue constantly in the headlines.