According to Leon Rodriguez, director of the Department of Health and Human Services’ Office for Civil Rights (OCR), federal regulators will deploy a permanent HIPAA (Health Insurance Portability and Accountability Act) audit program beginning October 1, 2014. In 2012 KPMG, the contractor for the pilot program audited 115 covered entities. An analysis of those findings was used to create the upcoming permanent program.
According to Rodriguez, a major weakness was discovered during the original audit program and investigations, revealing the lack of a comprehensive risk analysis. Future audits will be narrower in scope but include more organizations than ever before. Both covered entities and their business associates will be audited under the new permanent program that will focus on vulnerabilities that could change year to year as new issues arise.
The OCR is currently hiring personnel with experience conducting HIPAA audits. These employees will work with the new contractor(s) on audits under the permanent program. It’s possible that OCR could choose to work with more than one contracting firm during the next round of audits.
Enforcement of the HIPAA Omnibus Rule began on September 23, 2013. The majority of the enforcement actions focus on cases that involve major security failures, such as breaches caused by systemic issues. Other cases involve the denial of access to patients of their health records, and inappropriate disclosure of data.
Rodriguez also said the OCR will be enforcing more civil penalties. They have approval to collect penalties that will be used to fund future auditing and breach-analysis activities. They’ve asked for a budget increase, and to use $4.5 million in collected HIPAA non-compliance penalties to fund the permanent audit program; so healthcare entities and their business associates need to be more prepared than ever.