The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) released two reports last week urging the Office of Civil Rights (OCR) to retool its HIPAA enforcement efforts by the start of 2016.

OIG outlined a number of inefficiencies in the current HIPAA compliance audit procedures, the most alarming of which called for the implementation of a permanent audit program. The report read:

HIPAA enforcement

“Although OCR has made progress towards implementing the required audit program, it should fully implement a permanent proactive audit program to assess covered entities’ compliance with the privacy standards.”

The current round of audits that’s been going on in 2015–known as OCR’s Phase 1 program–has been a pilot run first executed in response to HITECH regulation. Phase 1 began back in November 2011, but it picked up in earnest this past year, already having charged HIPAA violators millions of dollars in fines.

OCR concurred with OIG’s recommendation for heavier audits, and announced that its Phase 2 audits would start in early 2016. OCR’s response, cited in an appendix to the report, states:

“OCR is moving forward with planning for a permanent audit program. We will launch Phase 2 of our audit program in 2016.”

This Phase is going to test the combination of desk and on-site reviews of policy and practice that will go into investigating a compliance breach. What’s more, the response from OCR specifically says that this next Phase “will include business associates.” Intending to demonstrate its commitment to proactive and enhanced enforcement, OCR seems to have taken upon itself this last mention of BAs being included–OIG’s recommendation only focused on CEs.

OIG listed five recommendations in each report, and OCR concurred with their assessment on all of them. The same report that called for the permanent audit program also found that there were no official OCR follow-ups in 26% of cases where corrective measures were required as the result of an audit. OCR responded that they would ensure that all auditors working on a HIPAA violation document remediation measures that have been put in place.

Another report was issued in response to the online documentation of HIPAA violations. Currently, only cases where 500 or more breaches in protected health information (PHI) have occurred are tracked by HHS. A version of that case-tracking list is publicly available and can be found on the OCR website.

Now, OCR officials have been urged to document all breaches, regardless of size, and to weigh prior case-tracking information in the event of a new violation. OIG has suggested that OCR take a CE or BA’s history of violations into account when documenting new compliance breaches, suggesting that more stringent penalties for multiple offenses might be coming soon as well.

HIPAA enforcement is again changing its face. Marc Haskelson, CEO of Compliancy Group says “The stricter HIPAA enforcement seen since the start of 2015–last month’s $750,000 fine against the Indiana-based Cancer Care Group included–isn’t some passing trend.”

With OCR under serious pressure to prioritize more comprehensive, publicly documented audits, the risks of non-compliance are greater than ever before. Haskelson says the language from HHS is clear: “With OCR’s Phase 2 audits coming down the pipeline, it’s time for CEs and BAs to start looking into long-term, proactive compliance solutions. It’s no longer a matter of ‘if’ these audits are coming, now it’s merely a matter of ‘when.'”

Article by Frank Sivilli

See How It Works