Are the HIPAA Audits Moving Into Enforcement Territory?


The ongoing privacy and security HIPAA audits have long been billed as purely educational, but the chill winds of enforcement may be moving in, a number of attorneys recently told me.

“It’s my understanding that, dependent on what they find, they’ll be taking enforcement actions on these audits,” Alisa Chestler, a health-care attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz, told me recently.

Chestler said health-information technology is growing more and more complex, which is leading to more privacy and security vulnerabilities.

The Internet of Things may be a target for future enforcement, Chestler said. The Internet of Things refers to the growing ability of everyday devices, including medical devices, to collect, send and receive data electronically.

The Health and Human Services Office for Civil Rights began a first phase of the compliance audits in 2011, focused solely on covered entities, while the current phase includes both covered entities and business entities.

Susan Nash, a health-care attorney with McDermott Will & Emery, told me that the OCR’s current audits are focused on cybersecurity issues affecting cloud computing, patients’ right to access information and health information exchanges.

The current round of audits includes both remote, or desk, audits, as well as more comprehensive on-site audits. The desk audits have been completed, but on-site audits may not start until the end of 2017 or even the beginning of 2018, Eric Fader, a health-care attorney with Day Pitney LLP, told me.

“A delay will allow the OCR to review the results of the desk audits and get input from HHS Secretary Price before beginning on-site audits,” Fader said.

Read more in my full story here.

Stay on top of new developments in health law and regulation with a free trial to the Health Law Resource Center.

Learn more about Bloomberg Law and sign up for a free trial.