Fewer Than 150 HIPAA Audits Expected

Rodriguez: Targeted Goal for Compliance Audits Won't Be Hit

By , February 27, 2012.
Fewer Than 150 HIPAA Audits Expected

This year's HIPAA compliance audit program will come up somewhat short of the target of 150 audits, says Leon Rodriguez, the nation's lead HIPAA enforcer.

"I don't think its actually going to be quite 150," says Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights. "It will be something close to that." That's because of the office's funding level and the capacity of KPMG, the firm hired to conduct the audits, Rodriguez explains in an exclusive interview with HealthcareInfoSecurity.

The 20 initial audits conducted to fine-tune the effort are nearly complete, Rodriguez said Feb. 24 following his presentation at the Healthcare Information and Management Systems Society Conference in Las Vegas. All other covered entities slated to be audited this year have either been notified or will be within a few weeks, he explains.

Although Rodriguez declines to provide any insights based on the initial 20 audits, he notes that his agency has identified several common HIPAA compliance shortcomings in its breach investigations so far. "You really still do have significant security vulnerabilities out there, he says. "And sometimes those issues are as fundamental as no evidence of a risk analysis, no policies and procedures and no adequate technical safeguards for data."

Audit Report Planned

In the interview, Rodriguez also:

  • Notes that his office will issue a report on the aggregate results of the audits once all the 2012 reviews are complete;
  • Says that "there is a reasonable likelihood" that the audit program will continue next year. "If we learn ... that this audit program has exposed vulnerabilities and issues that we can't find any other way, it will be good policy for us to keep this audit program going."
  • Explains that the Obama Administration's proposed $2 million cut in the OCR budget for fiscal 2013 will likely be more than offset by income from monetary penalties the office collects from HIPAA violators, which can be used to fund enforcement. He notes, however, that fines and penalties also must be used to offer restitution to victims, as required under the HITECH Act.
  • Acknowledges that "it's quite possible" that the long overdue omnibus package of privacy and security regulations won't be issued in March, which HHS recently announced as the target date. The package will include the final HIPAA breach notification rule, HIPAA modifications and the privacy provisions under the Genetic Information Nondiscrimination Act.

At the HIMSS Conference, Rodriguez showed four brief videos designed to educate healthcare providers, as well as consumers, about patient privacy issues. Those can now be found on YouTube.

Rodriguez, formerly chief of staff and deputy assistant attorney general for the Department of Justice Civil Rights Division, became director of HHS's Office for Civil Rights in early September 2011. The office enforces the HIPAA privacy and security rules as well as the HIPAA breach notification rule. He succeeded Georgina Verdugo, who held the post for about two years. From May 2007 to January 2010, Rodriguez served as the county attorney for Montgomery County, Md. Before that, he served in private practice specializing in health law and was a federal and state prosecutor in several jurisdictions. For example, he prosecuted healthcare fraud cases as assistant U.S. attorney in Pittsburgh.

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE NSA Chief: Damaging Cyber-Attack Coming

The director of the National Security Agency, Navy Admiral Michael Rogers, says he expects to see...

Latest Tweets and Mentions

ARTICLE NSA Chief: Damaging Cyber-Attack Coming

The director of the National Security Agency, Navy Admiral Michael Rogers, says he expects to see...

The ISMG Network