HIPAA-regulated entities can expect 2016 to be the year of increased oversight. That’s when the Health and Human Services Department’s Office for Civil Rights (OCR) begins Phase II of its audit program.
The program is expected to focus on common areas of noncompliance and will include HIPAA-covered entities as well as business associates. Phase 2 “will test the efficacy of the combination of desk reviews of policies as well as on-site reviews.”
OCR is responsible for overseeing covered entities’ compliance with the Privacy Rule, which provides federal safeguards to maintain the privacy of individuals’ protected health information. To that end, OCR has indicated that it will select 350 covered entities and 50 business associates during the next three years to conduct audits.
The increased oversight follows a report issued in September by the Department of Health and Human Services Office of Inspector General (OIG) that was critical of OCR oversight of covered entities.
In that report, the OIG found that OCR’s oversight is primarily reactive, not proactive. It noted that as of September 2015, OCR had received more than 120,000 complaints regarding alleged privacy violations since the Privacy Rule went into effect in April 2003.
The report made several recommendations that OCR:
- Fully implement a permanent audit program
- Maintain complete documentation of corrective action
- Develop an efficient method in its case-tracking system to search for and track covered entities
- Develop a policy requiring OCR staff to check whether covered entities have been previously investigated
- Continue to expand outreach and education efforts to covered entities.
OCR agreed with the OIG’s recommendations and has said it is working to improve its ability to document and track corrective actions taken by covered entities and business associates in response to an OCR investigation. It also indicated that it can now search for and track covered entities’ compliance history. OCR also will require investigators to check for prior investigations at the outset of new investigations of covered entities and business associates.
If you haven’t already done so, now is the time to begin reviewing your HIPAA policies and practices and develop a plan for working with OCR should you become the target of an audit. Collect data beforehand and keep materials to provide to auditors should it be needed. Failure to comply can lead to civil monetary penalties.
The Health Law Offices of Anthony C. Vitale can assist you in formulating a HIPAA work plan or represent your interests should you become the target of an audit.