Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
March 21 — The government’s Phase 2 HIPAA audits began March 21, a government official said at a conference.
Health and Human Services Office for Civil Rights Director Jocelyn Samuels said Phase 2 will consist of 200 desk and on-site audits of both covered entities and business associates.
The compliance audits are intended to determine if health-care organizations and their contractors are complying with Health Insurance Portability and Accountability Act privacy and security rules.
The first phase of the HIPAA audits was conducted as a pilot program in 2011 and 2012, focused solely on covered entities, while Phase 2 will include both covered entities and business associates.
The desk audits are expected to be completed by December, while the more comprehensive on-site audits will begin later in the year, Samuels said during the National HIPAA Summit.
Kirk Nahra, an attorney with Wiley Rein in Washington, told Bloomberg BNA March 21 that Phase 2's impact will depend on how difficult the audit protocol is.
The audit protocols contain the specific issues auditors will be examining and provide detail on what documents organizations have to submit.
Nahra said the first protocol in the Phase 1 audits was very burdensome.
The Phase 2 audits will affect a small percentage of organizations, Nahra said.
“The problem with audits are their overall burden, the risks resulting from the audits and the potential unfairness of picking people largely at random,” Nahra said.
Samuels said the Phase 2 audits aren't meant to be punitive, but are designed to allow the OCR to get out in front of potential problems.
The first round of desk audits will involve covered entities, while the second round will center on business associates, and it's possible that the OCR might follow up a desk audit with an on-site visit, Samuels said.
The Phase 2 audits will cover a wide range of health plans, providers and business associates, Samuels said.
The wide range will enable the OCR to assess HIPAA compliance across the entire health-care industry, Samuel said.
The desk audits will review specific requirements of the HIPAA privacy, security, or breach notification rules, while the on-site audits will have a broader focus on the HIPAA rules, Samuels said.
Audit subjects will receive an e-mail regarding their audit selection and will be able to submit any requested documents through a portal on the OCR's website.
Protocols for the Phase 2 audits will be posted on the OCR's website soon, Samuels said.
In addition to announcing the start of the Phase 2 audits, Samuels spoke about OCR's enforcement efforts over the past year.
She said the OCR has reached nine major settlement agreements regarding HIPAA breaches since last March, resulting in a total of $11 million in fines. She called it “a very eventful year.”
For example, the OCR reached a $3.9 million settlement with the Feinstein Institute for Medical Research on March 17, which followed by a day a $1.9 million agreement with North Memorial Health Care of Minnesota .
Highlighting some of the lessons learned as a result of the OCR's enforcement efforts, Samuels cited the need for companies to:
Samuels said the OCR is serious about holding organizations accountable for their HIPAA compliance.
Samuels also spoke briefly about the Obama administration's Precision Medicine Initiative, which she said is designed to enable personalized medical treatment.
The program's success depends on patient willingness to share vast amounts of personal data, and the OCR is committed to ensuring that there are robust privacy and security protections in place, Samuels said.
To contact the reporter on this story: James Swann in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Janey Cohen at email@example.com
An OCR fact sheet on the Phase 2 audits is at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)