In November 2013, the Office of Inspector General (“OIG”) published a report in which it stated that the Office for Civil Rights (“OCR”) has gaps in its oversight and enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”). One such activity deserving focus and improvement, according to the OIG, is the periodic audits of covered entities to ensure their compliance with the HIPAA Security Rule (the “Security Rule”), which establishes standards for protecting electronic protected health information (“ePHI”). The audit program was mandated by the Health Information Technology for Economic and Clinical (“HITECH”) Act. Based on this report and comments from OCR staff, it is expected that Security Rule enforcement and audits will increase in 2014.
In 2011, OCR implemented a pilot audit program to assess the policies and procedures implemented by 115 covered entities to comply with the Privacy, Security, and Breach Notification Rules. Since that time, however, OCR has not further audited covered entities to ensure compliance. According to the OIG, the lack of audits has prevented OCR from fully understanding the main areas in which ePHI is at risk. In response, OCR stated that it has been evaluating the results of the pilot program, but no funds had been allocated to implement a permanent audit program.
Nevertheless, Leon Rodriguez, the director of OCR, announced that the audit program would begin again in 2014. Rodriguez further stated that the scope of the audits will be narrower, which will allow OCR to audit a higher volume of covered entities. Additionally, business associates, as well as covered entities, will be subject to the audits. Rodriguez expects that there are several entities operating as business associates that do not realize they are business associates.
Rodriguez has made it his goal to develop an enforcement mechanism so that covered entities approach OCR enforcement with the vigilance they approach OIG enforcement. Given this goal, covered entities and business associates can expect that OCR will enhance its enforcement efforts in the coming year, particularly with respect to the audit program.Back to news