More enforcement likely in second round of HIPAA audits, attorney says

The second round of HIPAA compliance audits likely will include more enforcement actions, according to Anna Spencer, a partner at law firm Sidley Austin LLP.

The Department of Health and Human Services' Office for Civil Rights hasn't announced exactly when the audits will resume, other than to say they will begin in early 2016.

"I believe this round of audits will lead to some enforcement actions because we're really past the point where OCR said, 'We're really using this program as an educational tool,'" said Spencer in an interview with Healthcare Info Security. "Just given the passage of time since the passage of HITECH regulations, the idea, I think, is that covered entities and business associates have had time to get their house in order and also there is a significant amount of political pressure on the agency right now."

She points to pressure from members of Congress, criticizing the agency for not doing enough to protect victims of medical breaches, and reports from the Office of the Inspector General criticizing the agency, for instance, for not doing enough to investigate small breaches.

While OCR itself hasn't specifically signaled that it intends to lean toward enforcement in these audits, it has been suggested that they will be different from the first round, Spencer said. For one thing, they will cover business associates, as well as covered entities.

"The original program was aimed at education--educating covered entities on their compliance obligations," she said. "This round of audits, the government has indicated, will really be more focused on meeting compliance obligations."

In May, OCR sent out pre-audit screening surveys to covered entities that could be selected for the second round; in September, the agency announced it had selected the vendor that will conduct the audits, Ashburn, Virginia-based FCi Federal.

To learn more:
- listen to the interview