Skip to content Skip to navigation

OCR's Samuels Describes Launch of Phase 2 of HIPAA Audit Program

March 19, 2016
by David Raths
| Reprints
Fifty on-site and 150 ‘desk audits’ to be conducted

Speaking at the HIPAA Summit meeting in Washington, D.C., on March 21, Jocelyn Samuels, director of the HHS Office for Civil Rights, announced that phase 2 of the audit program has been launched. She pointed privacy and security officers to the OCR web site for more detail. 

Samuels called the program a critical tool for OCR, “not to be punitive, but to get out in front of problems that have led to the breach reports we have received.” She said it gives OCR a way to look at weaknesses by sector, geographic regions, and organizational size, and evaluate risks they may be facing before they ripen into breaches. “It is a valuable way for us to get out in front and direct guidance in ways we hope will be more useful,” she said.

The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. These audits will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a document request letter.  All desk audits in this phase will be completed by the end of December 2016.

The third set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit.

Speaking at the PHI Protection Network Conference in Philadelphia this week, Barbara Holland, regional manager for OCR's Mid-Atlantic region, provided some details about the timing and scope of the upcoming HIPAA audits.

OCR initiated a HIPAA audit pilot program in 2012, but until now it didn’t transition to an ongoing audit program. But in 2016, OCR is ramping up to do 200 audits, Holland said. “We just hired people to form an audit group. The audits will start in four to six months. We will audit 150 covered entities and 50 business associates.” She added that 150 would be “desk audits,” and 50 would be on-site. Of the 50 on-site audits, 40 will be at covered entities and 10 at business associates.

When the program gets under way, there will be new audit protocols on the OCR web site, Holland added.  In response to an audience question, she said OCR is trying to become more uniform in the way it assesses breaches and imposes penalties. “We are trying to become more consistent in how we investigate major breaches and systemic compliance problems. We are paying more attention to organizations with recurring problems,” she said.  

She said OCR would incentivize preventive action in the most common problem areas, yet be hard on entities that have recurring problems. The third time something happens, you will be hit with a monetary penalty, she said. “We are beginning to raise our expectations about compliance. We know some people have struggled to comply, but we are expecting more from traditional providers. We have a lower tolerance for noncompliance.”

Speaking on the same panel, Adam Greene, a partner at law firm Davis Wright Tremaine, who previously worked at HHS and within OCR itself as a senior health IT advisor, said OCR is not your typical enforcement agency. Most enforcement agencies providers deal with want to have something to show, such as a settlement, when there is a violation. But that is not how OCR operates. The overwhelming majority of cases are resolved with voluntary corrective action. “In over 99 percent of cases where they could impose a penalty, they work on voluntary corrective action,” Greene said.

Greene said to prepare for the audits, you should make sure you have done a breach risk assessment and have a risk management plan in place. Check that your privacy notices and patient right of access notices have been updated.

But his advice is not to worry overly much about audits. OCR is planning 200 audits this year in a universe of 3 million covered entities. “The risk is small. I think you should be more worried about breaches and complaints. If you are trying to decide whether to do a mock audit or a tabletop exercise of a breach, remember that the risk of a breach is a lot higher than the risk of an audit. “Don't let the possibility of an audit blindside you to the much bigger risk.”