The year 2013 started with a bang for HIPAA-regulated entities, with the passage of the long-awaited HIPAA Omnibus Rule, implementing privacy, security, breach notification, enforcement and other provisions of the HITECH Act. Omnibus Rule momentum carried through much of the year with an industry-wide push to comply with the September 23, 2013 compliance date for significant provisions of the Omnibus Rule.
One of the drivers of Omnibus Rule compliance momentum was the HITECH-mandated audit program, which was implemented by the Office for Civil Rights (“OCR”) through a pilot audit program in 2011. In addition to being a source of concern for regulated entities (with its extensive document requests, aggressive turnaround times and on-site, top-to-bottom organizational scrutiny), it has been a source of compliance guidance (with a comprehensive audit protocol published by OCR to provide insight into the agency’s compliance approach and priorities).
In late November 2013, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released a report entitled: The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule. In its report, the OIG criticized OCR for its failure to implement a program of periodic audits to ensure security rule compliance among covered entities and business associates. In response to OIG’s findings, OCR commented that no funds had been appropriated for a permanent HITECH audit program and that funds to support its pilot audit activities were no longer available.
It will be interesting to see what happens to Omnibus Rule compliance efforts going into the new year and whether lack of audit funding will be perceived by the industry as a reduced risk of audit, investigation or even enforcement generally. OCR has not updated its audit protocol to reflect new Omnibus Rule compliance requirements and has not released findings of its own review of the pilot audit program, so the work of the pilot program is unfinished.
However, there is no reason to believe that HITECH enforcement will relent in 2014, especially because the HITECH Act authorized the transfer of funds collected through civil monetary penalties or monetary settlements for HIPAA violations to OCR to support enforcement efforts. Enforcement has been, and remains, a largely complaint-driven process, and there is no reason to believe that will change in 2014. Accordingly, covered entities and business associates are encouraged to remain diligent and continue with Omnibus Rule compliance efforts as if audit was inevitable in 2014.