OCR Director Discusses Upcoming HIPAA Audits, Additional Rulemaking in 2015

by George H. Parsells, III and Leonardo M. Tamburello

Audits of Covered Entities and their Business Associates which are required under the HITECH Act have been delayed into 2015, according to a comments made by Jocelyn Samuels, the Director of Health and Human Services’ Office for Civil Rights (OCR), because audit procedures have not been finalized. During a recent conference call with the media, Director Samuels would not commit to a specific timeline for the audits. These new audits will be done in-house by OCR and incorporate lessons learned from audits conducted in 2012 by KMPG of 115 covered entities in addition to changes following enactment of the Final Omnibus Rule in 2013.   Although all aspects of HIPAA compliance may be examined, it is expected that through these audits, OCR will closely scrutinize organizational Risk Assessment and Risk Management.   OCR anticipates that these audits will help it to identify best practices and uncover risks and vulnerabilities to privacy and security. Also according to OCR, the audits are expected to allow it to provide additional guidance and further refine future rulemaking regarding security and privacy.

In addition to the highly anticipated audits, OCR’s other plans for 2015 include:

  • A proposed rule that would allow individuals adversely affected by breaches of their protected health information to share in a percentage of the fine assessed by OCR against the party or parties responsible for the breach.
  • Additional guidance regarding the “minimum necessary” rule, which OCR views as intended to advance the policy goal that PHI only be used or disclosed when necessary for a particular purpose or to carry out a specific function.
  • Further clarification and guidance concerning the use of cloud storage and cloud computing services that have proliferated since the last major regulatory pronouncements related to the Security Rule.
  • Rulemaking related to the provision of an accounting of PHI disclosures upon request to patients.