Will HIPAA Audits Result in Settlements?Attorney Predicts OCR Audit Focus Will Shift to Enforcement
As the Department of Health and Human Services gears up to launch its second round of HIPAA compliance audits in 2016, the focus of federal regulators will shift to using these audits to implement potential enforcement actions, including financial settlements, predicts attorney Anna Spencer.
When HHS' Office for Civil Rights first launched its pilot HIPAA audit program, that effort involved the audit in 2011 and 2012 of 115 covered entities of varying sizes and types for their level of compliance with the HIPAA privacy, security and breach notification rules. Now, as OCR readies for its next wave of audits for HIPAA covered entities and also business associates, the agency's attention will change, says Spencer, a partner at law firm Sidley Austin LLP.
"This [new] program will be different from the original program. The original program was aimed at education - educating covered entities on their compliance obligations. This round of audits, the government has indicated, will really be more focused on meeting compliance obligations, less about education - and there will be more - I think - possibilities of settlements or enforcement actions coming out of the program," she notes.
To date, OCR HIPAA enforcement actions - including a record $4.8 million resolution agreement with New York-Presbyterian Hospital and Columbia University in 2014 - have almost entirely sprung out of non-compliance issues discovered by regulators during breach investigations. But that will change with the next phase of audits, Spencer predicts in an interview with Information Security Media Group.
"I believe this round of [compliance] audits will likely lead to at least some enforcement actions because...covered entities and business associates have had some time to get their houses in order, and also there is a significant amount or political pressure on the agency right now," she says.
That includes increased scrutiny by some members of Congress who have questioned whether OCR is doing enough to assist victims of medical identity theft stemming from health data breaches (see Senators Want ID Theft Answers from HHS). Also, HHS' Office of Inspector General in recent reports has also criticized OCR for lackluster HIPAA enforcement activities, she notes (see OIG: HIPAA Enforcement Activities Need a Boost).
In the interview, Spencer also discusses:
- How covered entities and business associates should prepare for possible HIPAA audits;
- What OCR will likely examine during the next round of HIPAA compliance audits;
- Why healthcare entities that have not reported a major HIPAA breach could be even more likely to be chosen for a HIPAA compliance audit than covered entities that have reported incidents appearing on OCR's "wall of shame" of breaches affecting 500 or more individuals.
Spencer is a partner and team leader for health information policy in Sidley Austin LLP's healthcare and privacy, data security and information law practices. Based in the firm's Washington D.C. office, Spencer regularly counsels pharmaceutical and medical device manufacturers and healthcare providers on information privacy and security issues and assists them with respect to various health care privacy laws, investigating and responding to data breaches and information security incidents.