Phase II of the federal HIPAA audit program remains "under development," Jocelyn Samuels, director of the Health and Human Services Department's Office for Civil Rights, said Monday at the 23rd National HIPAA Summit in the District of Columbia.
Samuels reiterated that OCR plans to use lessons learned from the program's first phase, which included 115 pilot audits. OCR's initial plan was to kick off the next round of audits last fall. Those plans, however, were temporarily derailed late last summer as the agency worked to tweak an online portal through which entities could submit information. That portal is still in the process of being set up, she said.
"We are committed to implementing a robust audit program," Samuels said. "I can promise you two things: The first is, it's coming; I can't promise you the specific date, but it's happening. The second is that we are committed to transparency in this process."
To that end, Samuels said OCR will provide information on protocols it plans to use, the agency's expected approach and the timeframe in which the audits will take place, as soon as the information is available.
When OCR does resume its efforts, some changes will include the department's staff conducting "desk audits" of a narrower focus and comprehensive on-site audits "as resources allow." In addition, the updated protocol will reflect changes in the HIPAA Omnibus Rule and more specific test procedures.
In addition to the audit program, Samuels said OCR plans to issue more guidance on cloud computing and other technologies in 2015. The agency also will work closely with the Office of the National Coordinator for Health IT, the U.S. Food and Drug Administration and the National Institutes of Health on the application of HIPAA to emerging technologies and new delivery systems.
"HIPAA is technology neutral," Samuels said. "But we also want to make sure we are providing adequate guidance about how HIPAA applies to new forms of delivery system of care or mobile apps or texting."