Recent news reports indicate that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is planning to move ahead with its plan to begin proactive HIPAA audits of business associates and covered entities.
In the past, OCR has relied primarily on self-reports of breaches from covered entities (as required by the Breach Notification Rule) as a basis for enforcement actions. However, Section 13411 the HITECH Act directs OCR to conduct periodic audits to ensure that covered entities and business associates are in compliance with the Security Rule. The Security Rule requires covered entities and business associates to protect the integrity and confidentiality of electronic protected health information through implementing physical, administrative, and technical safeguards.
HHS launched a pilot audit program in 2011. However, the OIG has criticized OCR for not implementing this requirement in a timely fashion by moving forward with more widespread audits.
According to news reports, HHS has chosen a vendor for the next phase of the audit program and is verifying contact information for business associates and covered entities to be included under the program. OCR noted that the first audits will mostly consist of desk audits, under which it will ask entities to send in policies and procedures for review, though there may be some in-person audits as well.
Now that audits of internal security policies and procedures are appearing ever more likely and imminent, covered entities and business associate may want to take this opportunity to ensure that these policies are up to date and accord with the Security Rule.