The U.S. Dept. of Health and Human Services’ Office of Human Rights is preparing to launch a second, more ambitious round of HIPAA audits. For the first time the audits will include business associates of HIPAA covered entities. They also could result in enforcement penalties for violators.
Over the summer, OCR had planned to send pre-audit surveys to between 550 and 800 entities in preparation for what it calls “Phase 2 audits,” which are begin in this fall. These follow Phase 1, a pilot round of audits of 115 entities conducted over the past year.
The pilot audits did not include business associates, carried no penalties, and were performed by subcontractors. The upcoming audits are expected to be done primarily by OCR staff, according to the National Law Review.
However, the new audits will be desk audits rather than on-site visits, the National Law Review said. Auditors won’t be able to seek clarification or additional data, and they will only take into consideration data submitted on time.
From the pre-audit review, the OCR is expected to select about 400 covered entities for the actual HIPAA audits.
Of those, about 350 are supposed to be covered entities – 232 healthcare providers, 109 health plans and nine healthcare clearinghouses. The rest, about 50, are expected to be business associates.
In addition to being performed by OCR staff and not contractors, the second round of audits will differ from the pilot audits in targeting HIPAA standards, including the Privacy Rule and patient access to personal health information (PHI). The first audits revealed a high non-compliance rate with the standards.
The National Law Review reported that OCR will audit 100 entities for compliance with the Privacy Rule, including Notices of Privacy Practices and PHI. Another 100 entities will be audited for content and timeliness of notifications under the Breach Notification Rule, and 150 will be audited on the risk analysis and management standards of the Security Rule.
Business associate audits will cover only risk analysis and management, as well as breach reporting to covered entities.