The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) Director Jocelyn Samuels still does not have a set date for when the next round of HIPAA audits will take place. Samuels spoke earlier this week at the 23rd National HIPAA Summit in Washington, D.C., and explained that the OCR has still not finalized the audit procedures, according to a Lexology contribution piece by Jennifer Hennessey.
This round of HIPAA audits had originally been scheduled for the fall of 2014, but OCR health information privacy senior advisor Linda Sanches said at the time that the audits were delayed so new technology could be properly implemented.2015-02-05-hhs-budget
“In any IT project, IT plans don’t always go the way you expect them to,” Sanches said at the HIMSS Privacy & Security Forum. “There are things from the spring that I thought we’d be able to accomplish, but we weren’t able to. But I’m happy because the process that we were going to use before was much more labor intensive in term of analyzing data.”
Samuels reportedly also mentioned the HIPAA audit protocols were still being developed, and urged covered entities to continue to monitor the OCR site to remain updated on when the audits will begin.
This latest phase of HIPAA audits is set to include business associates along with covered entities.
“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate,” according to the HHS website. “OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits.”
Even though the procedure for the next round of HIPAA audits has not yet been finalized, HHS explained that they will be “organized around modules” the focus on the privacy, security, and breach notification aspects of HIPAA. Depending on the covered entity – or business associate – under review, the combination of these requirements could vary, according to HHS.
While there is not yet a deadline for HIPAA audits in 2015, that does not mean that covered entities and their business associates should ignore the concept entirely. The audit protocol covers areas that need to be in top working order anyway, such as the notice of privacy practices for PHI, rights to request privacy protection for PHI, and individuals’ access to PHI.
Conducting a HIPAA risk assessment is also an important way for healthcare organizations to evaluate the potential risks and vulnerabilities within their facility and how they are adhering to HIPAA. This type of analysis could also be beneficial when the HIPAA audits are announced, and ensure that facilities are on the right track in evaluating their privacy and security performance.
The HIPAA audit timeline continues to be pushed back, but covered entities and business associates can still ensure that they are prepared and compliant.