A February 22 article in Bloomberg BNA’s Health Care Daily Report and other publications, “Federal Privacy Audits Continue to Scare Health-Care Providers,” discussed the ongoing HIPAA audits conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which assess providers’ ability to maintain the privacy and security of patient records. Day Pitney’s Eric Fader was quoted in the article.Providers have to make an initial investment of time and money when creating a HIPAA compliance plan, including paying fees to consultants or attorneys who can help with the process, but the overall expenditure isn’t large, Eric said. “A more significant ongoing burden [for providers] is training employees in HIPAA matters and retraining them at least annually, performing periodic risk assessments, and other compliance requirements that in my experience are often overlooked,” he said.
Last year at this time, it appeared that the OCR would shift fairly quickly from education mode to enforcement mode for those audited covered entities whose HIPAA compliance was found to be lacking, but then enforcement ground to a virtual halt overall. The preliminary results of the covered entity desk audits, released by the OCR last September, showed that over 90% of the entities audited were not in compliance with one or more basic HIPAA requirements, including maintaining security risk management plans and conducting risk analyses. These audit subjects comprise a large pool of potential targets for high-profile enforcement actions, and there is no reason to believe that the results of the desk audits of business associates (currently ongoing) will be any better.
The OCR has stated that it plans on-site audits of both covered entities and business associates after the desk audit process is completed. However, it is possible that internal turnover at the OCR, including the recent departures of Deven McGraw and Iliana Peters, the last two Deputy Directors for Health Information Privacy, will affect these plans.