Blog: HHS To Launch New HIPAA Audits in Early 2016 in Response to OIG Reports

Cooley LLP

The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) issued two reports  yesterday calling for the HHS Office of Civil Rights (OCR) to strengthen its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts.   In response to these reports, HHS announced that it will launch HIPAA audits early next year in order to be more proactive in HIPAA enforcement.

In the OIG report titled “OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” the OIG found that OCR’s actions primarily are reactive in response to complaints made received by OCR.  The OIG also found that in most cases of noncompliance, corrective action by the covered entity was required, but OCR did not have documentation of the outcome or follow-up for 26% of these cases.  Additionally, the OIG found that OCR staff rarely check to see whether the covered entity involved has experienced a previous violation.

In the second OIG report titled “OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered entities,” the OIG found that although OCR investigated and documented investigations of most large breaches, OCR did not record information regarding small-breaches in its case-tracking system.  The OIG stated that failure to track these smaller breaches makes it harder for OCR to identify and address covered entities with multiple small breaches.  The OIG  outlined several recommendations as in the two reports, including:

  • Fully implement a permanent audit program;
  • Enter small-breach information into its case-tracking system or a searchable database linked to it;
  • Maintain complete documentation for corrective action;
  • Develop an efficient method in its case-tracking system to search for and track all  covered entities;
  • Develop a policy requiring OCR staff to check whether covered entities previously were investigated and/or reported prior breaches; and
  • Continue to expand outreach and education efforts to covered entities.

In comments published with the report, OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards, OCR announced that it will begin the next round (Phase 2) of HIPAA audits early next year which will focus both on covered entities and business associates.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.