What better way to kick off the new year than with a new round of HIPAA audits conducted by the Office for Civil Rights (OCR)? Well, it looks like that may soon become a reality. The Office of Inspector General (OIG) released two reports last month, in which it called fro the OCR to strength its enforcement of the Health Insurance Portability and Accountability Act (HIPAA).
In one of the reports, titled “OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” the OIG alleged that the OCR's response to HIPAA oversight was largely reactive, meaning it typically waits until a complaint has been filed before investigating. The report goes on to say that OCR has not implemented the audit program in a manner to assess possible HIPAA violations from covered entities.
“OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule. OCR’s oversight is primarily reactive; it investigates possible non-compliance primarily in response to complaints,” wrote the HHS in its report. “OCR has not fully implemented the required audit program to proactively assess possible non-compliance from covered entities.”
According to the OIG, nearly half of the covered entities cited in the closed privacy cases were found to be non-compliant with at least one, sometimes more, HIPAA privacy standard. These cases were usually resolved by having the OCR issue a corrective action from the offending entity. But unfortunately, in about 26% of these cases the OCR did not have a means to track whether or not the covered entity corrected its privacy violations.
The OIG went one step further by publishing HIPAA audit recommendations in its report, some of which include the following:
- Develop a permanent audit program.
- Submit breach data into case-tracking systems or a similar database from which searches can be performed.
- Maintain documentation for corrective actions in the event of a HIPAA violation.
- Develop a case-tracking system in which all cases can be searched.
- Develop and expand outreach/education programs for covered entities.
So, what should you do as a covered entity to better prepare for a HIPAA audit? Start by familiarizing yourself with all of the HIPAA Rules – the Privacy, Security, and Breach Notification Rules, long with their respective requirements. Covered entities may also want to perform mock, in-house audits, searching for possible violations and correcting them before the OCR performs its official audit.