The HIPAA audits are coming.
We’ve heard that refrain before. But now it appears the of real (as opposed to pilot) HIPAA audits by the Department of Health and Human Services Office for Civil Rights (OCR) is finally getting close.
That’s the report on the blog of Seattle-based law firm Davis Wright Tremaine LLP, which, like a lot of law firms, closely monitors HIPAA policy issues.
One sign of the impending arrival of the audits of HIPAA “covered entities,” such as healthcare providers and their business associates, is the recent 2015 HIPAA Security Conference held by the National Institute of Standards and Technology (NIST) and OCR.
Davis Wright Tremaine tracked the conference, reporting that OCR’s new deputy director, Deven McGraw, pledged new guidance on the audits possibly by October.
By the way, NIST recently released this draft guide for securing electronic health records on mobile devices.
In the meantime, the law firm reported that OCR officials at the conference said the agency is still in the process of choosing which providers or business associates to audit.
After the conference, Davis Wright Tremain said McGraw announced that OCR will put its audit plans up for public comment later this year, so the audits are likely not coming until 2016.
That is pretty late. It means the audits will start hitting just as the Obama administration slides into full lame duck status and OCR Director Joceyln Samuels, who took over the post a year ago, will likely be making exit plans as is customary for top administration officials when the end of their president’s term nears.
That could throw the entire audit program into another stall mode until after the November 2016 election.