Delays Continue for OCR’s 2015 HIPAA Audits

Locke Lord LLP

The Department of Health and Human Services Office for Civil Rights (“OCR”) continues to delay implementation of Phase 2 of its HIPAA Audit Program (“Phase 2”), which will build on OCR’s pilot audit program that concluded in 2012. In January, OCR Director Jocelyn Samuels reportedly stated that Phase 2 would be “implemented expeditiously.” However, during an April 15 session at the HIMSS 2015 Conference in Chicago, a regional official from OCR reportedly communicated that the audit program is still “under development.”

The 2015 audits will target both HIPAA-covered entities and their business associates. When originally announced, the Phase 2 audits were expected to be desk audits, though now it appears that OCR may also perform some audits onsite. The audits will focus on areas of heightened risk identified by OCR during its pilot program, which include compliance with the HIPAA Security Rule’s requirement to conduct security risk assessments.

OCR is also expected to issue new guidance for the Phase 2 audits, which may include updating its audit program protocol currently on the OCR’s website for covered entities and issuing new business associate protocols. Until additional guidance is issued, to prepare for a potential audit, covered entities and business associates should continue to monitor their HIPAA compliance and implementation efforts and consider the current OCR audit program protocol, which addresses elements of privacy, security, and breach notification. Topics of review are: (1) notice of privacy practices for HIPAA Protected Health Information (“PHI”), (2) individuals’ rights to request privacy protection for PHI, (3) individuals’ access to their own PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.

The current protocol also covers Security Rule requirements for administrative, physical, and technical safeguards and requirements for the Breach Notification Rule. Thus, in addition to monitoring general HIPAA compliance, both covered entities and business associates should conduct regular security risk assessments and address potential HIPAA risks identified in such assessments.

In addition to its Phase 2 HIPAA audits, OCR will continue investigating complaints alleging violations of the HIPAA Privacy and Security Rules and may also investigate reports of high profile breaches. So far in 2015, OCR has not announced any settlements with covered entities or business associates.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.