On September 10, 2015, the Department of Health and Human Services Office of Inspector General (OIG) recommended that the Office for Civil Rights (OCR) strengthen its oversight of covered entities’ compliance with the HIPAA Privacy Rule. U.S. Dept. of Health and Human Servs., OEI-09-10-00510, OCR Should Strengthen Its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards (2015). The OIG made the following recommendations to OCR after conducting its study:
- Fully implement a permanent audit program;
- Maintain complete documentation of corrective action;
- Develop an efficient method in its case-tracking system to search for and track covered entities;
- Develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and
- Continue to expand outreach and education efforts to covered entities. Id. at 11-12.
In response to the report, OCR agreed with each of OIG’s recommendations and OCR Director, Jocelyn Samuels, announced that in early 2016, OCR will launch Phase 2 of its audit program. Letter from Jocelyn Samuels, Director of OCR, to Daniel R. Levinson, Inspector General of the Dept. of Health and Human Servs. (September 23, 2015). The audit program will measure compliance by covered entities and business associates with HIPAA’s privacy, security, and breach notification requirements through a combination of desk reviews of policies and on-site reviews. Id. Unlike the pilot audits in 2012, which were conducted by a consulting firm that OCR hired, the next round of audits will be performed by OCR staff.
In anticipation of the upcoming audits and to avoid potential issues, covered entities should assess their preparedness and HIPAA compliance by using the existing protocol and other guidance available on the OCR Health Information Privacy website.
Additionally, covered entities and business associates should invest time in identifying and closing any HIPAA compliance gaps and ensuring that they have the proper risk analysis, risk management, and breach reporting plans in place. Addressing the following common areas of concern can help with assessing preparedness:
- Has a risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information been implemented and documented? 45 C.F.R. § 164.308(a)(1)(ii)(A).
- Is a breach reporting plan in place for responding to breaches of Protected Health Information?
- Are written policies and procedures in place that address privacy and security standards, and the weaknesses identified in the risk assessment?
- Is a training program in place with documented training for new staff and existing staff?
- Is a HIPAA compliant Notice of Privacy Practices provided to patients and is the notice available on the covered entity’s website?
- Are appropriate agreements in place with business associates?
In preparation for the OCR audits, covered entities should be able to provide evidence that: (1) a risk analysis assessment has taken place; (2) policies have been adopted to reduce risks and vulnerabilities to a reasonable level; (3) HIPAA training has been conducted; and (4) the notices have been delivered. Having the right supporting documentation in place can go a long way toward helping a covered entity survive an OCR audit, even where operational compliance may not always be one hundred percent.