Second Phase of HIPAA Audits Coming Soon, Official Says

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Sept. 3 — Preparations are under way for implementation of the second phase of HIPAA audits, and the audits may be rolled out shortly, a government official said at a conference Sept. 3.

A vendor has been chosen to perform the audits, and the Department of Health and Human Services Office for Civil Rights is confirming the contact information for covered entities that will be audited, OCR Director Jocelyn Samuels said during a conference focused on Health Insurance Portability and Accountability Act security that was co-hosted by the OCR and the National Institute of Standards and Technology.

The first phase of the HIPAA audits was conducted as a pilot program in 2011 and 2012.

The compliance audits are intended to determine if health-care organizations and their contractors are complying with federal regulations governing the protection of health-care data.

The OCR had said it planned to begin the permanent audit program in 2014, but concerns about funding hampered those efforts.

Samuels said the bulk of the phase two audits will be desk audits, meaning the auditors won't actually visit the covered entity. However, she said there will be some on-site audits.

Breach Notifications

Underscoring the concern over protecting health-care information, Samuels said the OCR has received 1,300 reports of large data breaches (ones affecting more than 500 individuals) in the six years since a breach notification rule was issued in August 2009.

The OCR also has received over 157,000 reports of small data breaches (those affecting fewer than 500 individuals) over the same period, she said.

Samuels highlighted a $750,000 settlement her office reached with the Cancer Care Group Sept. 2 over the theft of an unencrypted laptop.

Upon investigating the breach, which occurred in August 2012, the OCR discovered numerous compliance deficiencies, including the lack of risk analysis across the organization.

“All of us have to be vigilant in protecting health information,” Samuels said.

Carefully crafted policies and procedures are needed to address the findings from a risk analysis, she said.

In addition to its efforts on protection of health-care data, Samuels said the OCR is redesigning its website and expects to roll out the new site by December.

She also said she hopes her office can continue targeted hiring to fill some of the agency's gaps.

To contact the reporter on this story: James Swann in Washington at

To contact the editor responsible for this story: Brent Bierman at


Request Health Care on Bloomberg Law