2016 has been and will continue to be a tough year for Covered Entities that need to carry out audits required under HIPAA. The Office of Civil Rights (OCR) has cracked the whip on HIPAA entities and will be carrying out more HIPAA audits in the next round. Covered Entities can now expect more audits to follow from HIPAA during the year.
Putting the accelerated need for HIPAA audits in context
Why this rush towards greater attention in ensuring HIPAA audits by Covered Entities, although they were required to carry out these changes as back as August 2013, as part of the Final HIPAA Omnibus Rule?
This need for a fresh, second round of HIPAA audits has been necessitated after the findings of the Office of Inspector General (OIG) during 2015, where it found that there was noticeable lag in the implementation of the HIPAA guidelines, and recommended that there was sufficient scope for improvement in the major areas of health security, mainly in relation to HIPAA compliance and follow up action whenever there was a PHI breach.
Result of two reports
The decision to carry out these fresh audits, on a random basis, is the result of two observations by the OIG on the functioning of the OCR in relation to HIPAA audits.
In the first of these, the OIG made its observations based on its assessment of the OCRâ€™s levels of success in ensuring compliance with HIPAA regulations by Covered Entities. In this part, although the OIG found that the OCR had been carrying out its audits, these had not been proactive in nature and had only been more of a reactive nature, in responding to breaches rather than preventing these. The OIG expects the OCR to change this approach. To comply with this guideline, the OCR initiated a pilot audit program which is aimed at assessing the success level of the audit program.
Yet, despite these steps being taken by the OCR in accordance with the directions of the OIG; the former has not yet set a date by which it will begin permanent audits. This is why the OIG has begun its second round of audits for Covered Entities to scrutinize their HIPAA compliance, because it feels it cannot wait till OCR announces a date for its permanent audit.
What does the OIG expect of the OCR when it comes to permanent audits?
The OIG has recommended a set of guidelines for the OCR to implement as part of permanent audits. While ensuring greater HIPAA compliance from Covered Entities through a more proactive role from the OCR has been the primary reason for issuing these guidelines; lacunae in the various documentation aspects of HIPAA on the part of Covered Entities are another reason. These recommendations include:
o Implementing a permanent audit program fully
o Maintaining a complete trail of documentation of the corrective actions the OCR has taken in places in which it found errors
o Putting in place a tracking system that helps it to locate Covered Entities it has audited
o Putting in place a mechanism to ensure that audits done on Covered Entities are not repeated, thus avoiding double work
o Making efforts to educate Covered Entities about the compliance program and implement outreach programs toward this end
The follow-up on the second report
The second report of the OIG was also a result of the investigations it carried out into the level of HIPAA compliance by Covered Entities, but this time, it was about the extent to which the OCR followed up with entities that had been having Protected Health Information (PHI) data breaches. Here, the OIGâ€™s major finding related to the lack of documentation practices on the part of OCR when it came to following up on the corrective actions taken by Covered Entities that were arraigned for a data breach.
The major lacuna that the OIG found in the documentation process related to the gap in following up on corrective actions taken by smaller entities, and in about two fifths of the audits carried out, not even reporting them. The OIG expressed its serious concern about this action from the OCR and suggested that it take steps to put in place an effective tracking system for auditing every Covered Entity, big or small.
So, as a result of all these findings from the OIG, which took place during 2015, the need for fresh HIPAA audits for ensuring compliance by Covered Entities has arisen.
For more information:Editor's DetailsJohn Robinson
Last updated on: 07/09/2016