When the U.S. Department of Health & Human Services' Office for Civil Rights resumes HIPAA audits this fall, its own staff will conduct what it's calling "desk audits" of a narrower focus and comprehensive on-site audits "as resources allow."
About 350 covered entities will receive data requests this fall and 50 business associates will be notified in 2015, reports Healthcare Info Security.
An updated protocol will be used that reflects changes in the HIPAA Omnibus Rule and more specific test procedures. Findings from the 115 pilot audits in 2012 and feedback from those audited entities will be included.
While OCR contracted with consulting firm KPMG to conduct the pilot program, the permanent program will be carried out in-house.
Common problems from the pilot phase, such as compliance with the HIPAA breach notification rule, will be areas of particular focus, the article states, based on a presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy.
In the pilot program, a lack of thorough risk analysis was found to be a major weakness. OCR Director Leon Rodriguez has said the permanent program will place special emphasis on vulnerabilities that can change from year to year.
Covered entity audits in 2015 will focus on issues including computing device and storage media security controls, transmission security, and HIPAA safeguards such as procedures and staff training. The focus in 2016 will include physical access, encryption, decryption and other issues, according to the article.
OCR recently levied its first fine against a local government for HIPAA non-compliance. Skagit County in Washington state was ordered to pay $215,000 for failing to act after a hospital's September 2011 self-reported breach compromised the electronic protected health information of close to 1,600 people served by the public health department.
To learn more:
- find the article