The much-awaited first round of HIPAA audits of healthcare organizations and their business associates will be further delayed.
The reason? Audit procedures still are not ready, Joceyln Samuels, director of the Department of Health and Humans Services' Office for Civil Rights (OCR), said during a conference call with health IT, business and legal reporters. The OCR is refining the protocols, which should be complete soon to allow the long-delayed audits to launch, she said.
Samuels said OCR is also planning some new initiatives in 2015, including:
- A proposed rule that would give people harmed by breaches of their protected health information (PHI) a percentage of any civil penalty paid by the offending healthcare or business group.
- New guidance on cloud computing and privacy and security of PHI
OCR will use both enforcement and education to encourage compliance with HIPAA's requirements that patients' possess rights to receive their own personal health data.
"It is important to ensure that individuals have access that is guaranteed under the privacy rule," Samuels said, adding that guidance documents about those rights are forthcoming.
Audits 'send a strong message'
The upcoming audits are critical to ensuring compliance with HIPAA privacy and security laws related to electronic PHI, she added.
Audits and civil penalties "send a strong message to industry about compliance," Samuels said.
However, the veteran federal civil rights official, who has been at the helm of OCR since September 2014, declined to say when the audits -- originally scheduled to begin in October 2014 --would kick off.
OCR started random pilot audits in 2012. But 2015 is the first year business associates, such as insurance and billing companies, will be audited as part of an annual undertaking to prod the healthcare industry to adhere to privacy and security laws in the age of pervasive electronic health data.
It is still unclear if business associates could be hit with fines.
"We don't want to shortchange compliance by doing audits before we're ready," Samuels said, urging healthcare systems and other groups covered by HIPAA's privacy and security rules to watch OCR's website for updated information about the audits.
The remarks were Samuels' first to the media since a speech at ONC's Consumer Health Summit in Washington, D.C., in September 2014, shortly after she was appointed.
Samuels said OCR expects some 17,000 HIPAA violation complaints to be filed in 2015.
Big-time violations remain a focus
Samuels said that OCR's top priority continues to be "high-impact" breaches of PHI, such as 2014's $4.8 million settlement with New York Presbyterian Hospital and Columbia University after the healthcare system exposed 6,800 individual patient records.
Targets of such high-impact audits will be those involving "egregious" violations and high numbers of affected individuals, she said.
At the same time as it has pursued enforcement, Samuels noted that OCR has brought to informal resolution some 30,000 cases since the HIPAA privacy rule took effect in 2003.
The main HIPAA violations OCR focuses on are failure to conduct risk evaluations of data breaches, ignoring security threats to PHI, and poor training of staff in how to protect PHI, she said.
In the meantime, Samuels said OCR is working on revamping its website -- which she and other OCR officials have acknowledged has some problems, including lack of ease of navigation -- to make educational and training materials easier to find and to free up regional staff in 10 centers across the country to focus more on enforcement. She also said the agency is re-working its Web portal for covered entities.
Jocelyn Samuels gets introduction at National Health IT Week
Meaningful use, HIPAA rules have providers' attention
Republican group takes on meaningful use, patient privacy