HIPAA Audits: Mid-year 2017 update

In previous blogs, we reported that the Phase II random HIPAA audits were underway. If you weren’t one of those chosen so far, you may be wondering what’s been happening.

The Phase II audits began in 2016 and included covered entities as well as business associates. They were intended to start with desk audits and progress to onsite audits. Desk audits, consisting of a limited-scope examination of documents and records, are conducted offsite.

Recently, Deven McGraw, deputy director of the Department of Health and Human Services’ Office for Civil Rights (OCR), announced that plans for initiating onsite audits are currently on hold and will remain so until the 200 desk audits currently in the pipeline have been completed. So far, the OCR has performed remote desk audits on 166 covered entities with an additional 44 audits on business associates. Finalized reports for those covered entities have been submitted to the OCR for review, but have not yet been made public. Reports on business associate audits have not yet been submitted to the OCR for review.

Another cause for delay is that Dr. Tom Price assumed his role as the new Secretary of Health and Human Services in February. Once Dr. Price settles into his new position, we can expect to hear more about the revised timeline for onsite audits.

All accounts lead us to believe the OCR plans to continue its aggressive HIPAA enforcement activities in 2017.

In addition to being selected for a random audit, you could wind up on the OCR radar if a patient files a complaint against you or you experience a reportable breach. It pays to be very attentive to your HIPAA compliance program; don’t leave anything to chance, such as not customizing policies and procedures or skimping on quality IT services.