Covered Entities and Business Associates Beware! New HIPAA Audits to Begin in Early 2016
While OCR previously had signaled that the HIPAA audits would be resuming in the near future (such as by noting the upcoming release of a new audit protocol), OCR’s new statement is the most definitive information currently available about the timing of these audits. Both covered entities and business associates are advised to take this opportunity to review their HIPAA compliance programs and ensure that they are being implemented properly.
OCR’s expected timeframe for the audits was included as part of its comments on the recently released report by the Office of Inspector General (OIG) titled “OCR Should Strengthen Its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards." (OIG also simultaneously released a second report titled “OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities.”) In its report, OIG found that OCR’s oversight is primarily reactive, i.e., it investigates potential HIPAA violations primarily in response to complaints and self-reported breaches, rather than proactive, and identified other potential weaknesses in OCR’s oversight activities.
In response to OIG’s recommendation that it fully implement a permanent audit program, OCR noted that it was moving forward with planning for a permanent audit program and was going to launch the next phase of its audit program in early 2016. As described by OCR, this phase of the audit program is designed to test the efficacy of the combination of desk reviews of policies and on-site reviews. The audits will target specific common areas of noncompliance. Notably, although the previous round of audits focused only on covered entities, OCR specified that this round of audits will cover both covered entities and business associates.
Arent Fox attorneys regulatory assist clients with implementing and strengthening their HIPAA compliance programs, conducting risk analyses, investigating and reporting breaches of unsecured protected health information, and responding to OCR investigations.