HIPAA Audits: More to Come in 2014Rodriguez: More Audits, But Narrower in Scope
Federal regulators are planning for a permanent HIPAA audit program that will begin next year, says Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights. But the audits will be narrower in scope than the 115 in the pilot program during 2012, helping pave the way for a higher number of organizations to be audited.
"We hope to be off and running in the next calendar year," Rodriguez said at the HIMSS Privacy and Security Forum in Boston on Sept. 23.
Earlier, OCR had announced the audit program would resume sometime in fiscal 2014, which begins Oct. 1. OCR officials also indicated that business associates, as well as covered entities, will be audited in the permanent program because they're liable for HIPAA compliance under the HIPAA Omnibus Rule.
In OCR's audits and breach investigations, "we will really look at the level of compliance at both covered entities and business associates," Rodriguez stressed in his Sept. 23 presentation.
Under the permanent program, audits will focus on vulnerabilities that might change year to year as new issues come into focus, Rodriguez said.
A major weakness found during the pilot audit program, as well as through OCR breach investigations, has been a lack of thorough risk analysis, he added.
Contractor Not Selected Yet
OCR has been hiring personnel with experience in audits who will work with a contractor that will be hired for the permanent program, Rodriguez said. KPMG was the contractor for the pilot program.
Mac McMillan, CEO of CynergisTek Inc., an information security consulting firm, said it's possible that OCR could chose to work with more than one firm to conduct the next round of audits, or perhaps choose a prime contractor that works with several subcontractors.
McMillan speculated that the current budgetary climate in Washington, with the threat of the federal government shutting down next week in a dispute over pulling the plug on federal healthcare reform, is one reason why OCR is waiting until next year to launch the permanent program.
Rodriguez said OCR is asking for a budget increase and also will use $4.5 million in collected HIPAA non-compliance penalties to help fund its audit program.
Enforcing HIPAA Omnibus
Enforcement of compliance with the HIPAA Omnibus Rule began on Sept. 23 (see: Enforcing HIPAA Omnibus: What to Expect).
In his presentation, Rodriguez said to those who are wondering how the new rule will be enforced: "You'll see a picture of where we'll spend our energies" based on previous enforcement actions.
Enforcement actions to date have focused on cases involving major security failures, where a breach incident led to investigations that revealed larger systemic issues, Rodriguez said. Other enforcement cases have included inappropriate disclosure of data and the denial of access to patient records to patients.
Additionally, Rodriguez said he expects that OCR "will leverage more civil penalties." And he noted that his office has approval to bank penalties it collects to fund enforcement actions across fiscal years. Being able to bank penalties will enable OCR "to maximize funding our auditing and breach analysis" activities, he added.