The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) recently stated that, in early 2016, it will launch Phase 2 of its audit program designed to measure compliance with HIPAA’s privacy, security and breach notification requirements. That statement was included in OCR’s response to two reports issued by the Office of Inspector General (OIG) recommending, among other actions, that OCR fully implement a permanent HIPAA audit program and strengthen its follow-up of breaches of patient health information.
OCR is working to improve its ability to capture and track corrective actions taken in response to an OCR investigation, and to search for and track an entity’s compliance history, including information relating to breaches affecting fewer than 500 individuals. OCR investigators will be required to check for prior breaches by covered entities and their business associates when commencing new investigations. Repeated investigations could make an entity a more likely candidate for an on-site visit.
In its Phase 2 program, which will include both covered entities and business associates, OCR will target common noncompliance areas and “test the efficacy of the combination of desk reviews of policies as well as on-site reviews[.]” Covered entities and business associates should also, therefore, ensure that their HIPAA policies and procedures (including relevant training) are current and robust, and prepare for an on-site visit by OCR.
OCR will be issuing additional outreach and educational materials. Covered entities and their business associates should watch for forthcoming guidance on compliance and OCR’s audit protocols.