HIPAA Audits for Health Care Entities Delayed Due to IT Upgrade
September 11, 2014 in News
HHS’ Office for Civil Rights has postponed the next round of HIPAA audits while it works to update portal technology that helps the agency collect and analyze submitted data, according to an OCR official, Health IT Security reports (Ouellette, Health IT Security, 9/9).
In 2012, OCR conducted a pilot HIPAA audit program involving 115 covered entities. Under the program, OCR conducted audits of:
- Health plans; and
- Health care providers (iHealthBeat, 6/3/13).
OCR later said it planned to conduct the second round of “desk audits” this fall, using its own staff to audit 350 covered entities and about 50 business associates, according to FierceHealthIT.
Audit Delay Details
During the Healthcare Information and Management Systems Society’s Privacy and Security Forum this week, OCR Senior Adviser Linda Sanches told attendees to “stay tuned” about the new start date for the audits but declined to speculate when that date would be (Hall, FierceHealthIT, 9/10).
Sanches said that an IT project to update portal technology to streamline the way the agency collects and analyzes audit documents was “pushed back.” As a result, she said OCR would be “holding off starting” audits.
In addition, Sanches said OCR is scaling back the number of remote desk audits it will conduct to “fewer than 200″ and will hold more comprehensive on-site audits, but she declined to provide an estimate for those audits.
Sanches said OCR is planning to send pre-screening surveys to covered entities first and then to business associates, both of which will use the new online portal. She noted that those surveys are not intended to ensure an entity is compliant but rather to determine whether the entity is a candidate for an audit.
Sanches said that audits for covered entities will be randomly selected from a national provider index database to include a wide geographic range and mix of covered entities, ranging from physician offices to dentists to insurers. Covered entities that are already under investigation for data breaches or HIPAA compliance will not be subject to audits, she added (Kolbasuk McGee, HealthcareInfoSecurity, 9/9).
During the audit period, Sanches said covered entities will be responsible for HIPAA compliance, including:
- Access issues;
- Breach notification; and
- Risk analysis (Health IT Security, 9/9).
She advised covered entities to take this time to “get your house in order” and to “know who your [business associates] are” (HealthcareInfoSecurity, 9/9).