Second Phase of HIPAA Compliance Audits To Be Implemented Soon, OCR Director Says

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

By James Swann

Jan. 14 — The next round of HIPAA compliance audits by the Department of Health and Human Services Office for Civil Rights will be implemented “expeditiously” and will be accompanied by new audit guidelines, the head of the OCR said during a media roundtable Jan. 13.

The audits are in addition to the OCR's “existing arsenal of tools” for ensuring compliance with the Health Insurance Portability and Accountability Act Privacy and Security rules, OCR Director Jocelyn Samuels told reporters. Some of the OCR's existing tools include investigating complaints of possible compliance violations as well as conducting education and outreach programs with covered entities focused on compliance.

The audits will be used to help entities correct compliance issues as well as help the government identify systemic HIPAA compliance problems, she said.

Samuels urged HIPAA-covered entities and business associates to monitor the OCR website over the coming weeks and months for updates on the status of the phase two audits, including new audit protocols and guidance.

Phase one of the HIPAA audits was conducted as a pilot program in 2011 and 2012. Overall, the compliance audits are intended to determine if health-care organizations and their contractors are complying with federal regulations governing the protection of health-care data.

An OCR official in September 2014 said the audits are resource-intensive, and that the OCR has asked Congress for additional staffing. The OCR previously has said it planned to begin the permanent audit program in 2014, but concerns about funding hampered those efforts.

Compliance Best Practices

Samuels told Bloomberg BNA via e-mail that the compliance audits allow the OCR “to identify best practices and proactively uncover risks and vulnerabilities, unlike our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention.”

Samuels also said the OCR has continued to increase its investigations of noncompliance with the HIPAA Privacy Rule that results in industrywide impact, also known as high-impact cases. She said the OCR has entered into 16 resolution agreements since 2012 that have included monetary settlements and corrective action plans designed to resolve the high-impact cases.

“While this represents a very small fraction of the complaints that OCR investigates and compliance reviews that OCR initiates, this is an increase in the number of high-impact cases that OCR resolved through resolution agreements and corrective action plans over previous years,” Samuels said.

Samuels also said that while covered entities and business associates are getting better at understanding their obligations regarding breach notifications, “we do continue to see indications of noncompliance in this area.”

To contact the reporter on this story: James Swann in Washington at

To contact the editor responsible for this story: Kendra Casey Plank at