OCR Provides More Information Regarding HIPAA Phase 2 Audits and Rulemaking

by Leonardo M. Tamburello

At the Healthcare Information and Management Systems Society (HIMSS) annual conference, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which is tasked for enforcing HIPAA, provided new information but no definitive timeline regarding the long-awaited “Phase 2” HIPAA Audits.   We recently discussed these initiatives in a prior blog post.

It is widely expected that these Phase 2 HIPAA Audits will focus on areas of non-compliance identified in OCR’s initial round of audits which occurred in 2012.  Unlike the first time, the Phase 2 Audits will include Business Associates as well as Covered Entities randomly selected by OCR.  The audit itself is expected to take the form of either a “desk audit,” where documents are submitted to OCR, or an actual or site visit.  It is also anticipated that these audits will be somewhat narrower in scope, and focus on the Security Rule, Privacy Rule or Breach Notification Rule.  

Perhaps due to the change in leadership last July when Jocelyn Samuels was named as new OCR Director along with focus on developing the audit selection and protocols, OCR has been remarkably silent in recent months.  In the first seven months of 2014, OCR announced five Resolution Agreements totaling over $7.5 million.  Since then, it has announced only one other Resolution Agreement for the remainder of 2014, and none so far in 2015.

This silence should not be taken as any indication that OCR no longer regards enforcement as a useful compliance tool.   Given that OCR is expecting approximately 17,000 breach reports this year and the magnitude of high-profile health care data breaches in the news recently, OCR is appears to be focusing its enforcement efforts on situations that are likely to bring the largest compliance impact, on both in terms of the specific parties involved and the industry in general.  OCR’s relative silence regarding Resolution Agreement is not expected to last, and because most investigations take several years to complete is not reflective of actual inactivity at OCR.  In all likelihood, more Resolution Agreements will be announced later year along with the Phase 2 HIPAA Audits.

Now is the time for Covered Entities and their Business Associates to prepare for these Phase 2 Audits.  Some practical and cost-effective ways of doing this include:

  1. Conduct a Risk Assessment, with a particular focus on mobile devices, encryption, access control, data security, both while data is “at rest” and “in motion,” and user compliance with security protocols.
  2. Re-Evaluate Your Business Associates Relationships by creating an updated list of all BAs and insuring that you have current BA contracts with each that satisfy the HITECH Act and Omnibus Rule.  In addition, Covered Entities should ask all of their BAs for a list of their sub-BAs that may utilize or disclose PHI to, and copies of those BA Agreements.
  3. Review, Update, and Retrain Workforce Members on Current HIPAA Policies and Procedures.  To get the most out of the privacy policies and procedures established for your organization, all workforce members should receive regular refresher training that is documented and maintained for at least six years.

In addition to the Phase 2 HIPAA Audits, OCR is expected this year to issue rulemaking concerning the Breach Notification Rule, marketing initiatives which use PHI and HIPAA’s Accounting of Disclosures Rule.

 As we look forward to the warmer months, expect enforcement, rulemaking and Phase 2 HIPAA Audits to heat up as well.