alphaspirit - Fotolia

After many delays, OCR HIPAA audits will start in 2016

After a nearly two-year delay, OCR HIPAA audits of healthcare organizations are starting this year, though it is unclear exactly when audits will begin.

Let the audit season finally begin.

After long delays, the Department of Health and Human Services' Office for Civil Rights this year will begin OCR HIPAA audits of healthcare organizations and their business associates.

The audits of compliance with the HIPAA privacy, security and breach notification rules are intended to enforce observance of the federal healthcare privacy law. They come as the health IT industry increasingly is being hit by major health data breaches and hacker attacks.

Rob Rhodes, an advisory board member of the Association for Executives in Healthcare Information Security, and vice president for product management at health IT security software firm Iatric Systems Inc., based in Boxford, Mass., called 2015 "the year of the breach," referring to health data breaches at several big healthcare organizations, and 2016 "the year of the ransomware attack."

"That really ramps up the pressure on the federal government to do something," Rhodes, a former healthcare CIO, said.

The start of necessary audits

OCR officials at the 24th annual HIPAA Summit in Washington, D.C., earlier this week disclosed that the much-anticipated audits -- which have been expected for nearly two years -- are kicking off with a relatively minor step, but one that signals the audit process is underway.

Before the OCR HIPAA audits can start, the agency needs to verify that primary contacts and email addresses of HIPAA-covered entities are correct. OCR has emailed, or sent by regular mail, verification notices to what are thought to be about 1,200 potential audit subjects.

OCR address verification email
An OCR address verification email

Once organizations have responded, OCR will send surveys to ascertain details about the organizations before selecting a representative sample of about 200 audit subjects, said David Holtzman, vice president of compliance at CynergisTek, Inc., a health data privacy and security consulting firm in Austin, Texas.

This is the long-awaited start of the tortoise moving across the start line.
David Holtzmanvice president of compliance, CynergisTek Inc.

"This is the long-awaited start of the tortoise moving across the start line," Holtzman, a former OCR health IT and HIPAA security rule senior legal adviser, told SearchHealthIT.

The first phase of OCR HIPAA audits -- pilots that carried no fines or penalties -- were held in 2012, and the official audits first had been expected in fall 2014. But OCR cited technical problems with its Web portal as one reason for pushing out the audit program, and Congress has not granted the agency's request for funding for a permanent audit program.

Notice that audits will begin this year "is the first tangible, outward sign that the phase-two audit program has begun," Holtzman said.

Audits critical to protecting patients

The OCR HIPAA audits are critical to protecting patients' health information, Rhodes said. "A lot of people didn't necessarily take the audits seriously because of the poor state of cybersecurity in healthcare, but the feds don't have any choice but to do this and take their mandate seriously."

The HIPAA Final Security Rule of 2003 requires healthcare providers to conduct thorough risk assessments. The pilot audits revealed that 80% of audited organizations had not fully complied with the risk assessment rule, nor with the HIPAA Omnibus Rule of 2013, which subjected business associates to HIPAA.

Also, a 2014 survey showed that only 32% of physician practices were aware of the OCR HIPAA audit program, highlighting an industry trend that has large health systems generally more prepared to be audited than smaller providers.

HIPAA compliance a competitive advantage

Rhodes said providers of all sizes are more ready to be audited than in the past, in part, because of pressures in the healthcare marketplace to protect patient health data.

"Patient trust is going to be a competitive advantage," Rhodes said, noting that good performance in an audit could become a marketing tool for healthcare organizations. "Hospital organizations finally understand that it's not just about federal or state regulations, but [health IT cybersecurity] is a global problem, and they really have no choice but to take seriously, if they're going to stay in business."

CynergisTek's Holtzman said the level of consternation among provider organizations about the impending audits is considerable, and he's already received many calls from worried healthcare executives about what to do.

"Nothing spurs interest like a deadline," he said.

Next Steps

OCR director declined timetable for audits

FBI sounds health data cybersecurity alarm

Health data security guru: OCR preparation delayed audits

Dig Deeper on Electronic health records security compliance