HHS's Office of Civil Rights to Launch New Round of HIPAA Audits

The Department of Health and Human Services' Office of Civil Rights ("OCR") will begin audits early next year to gauge covered entities' compliance with HIPPA's security and privacy requirements for Protected Health Information ("PHI").

Background. HIPAA establishes standards for protecting individuals' PHI that is created, received, used or maintained by covered entities, including group health plans, and business associates. This standard requires that entities design, implement and enforce appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI. OCR is responsible for enforcing this standard.

In 2012, OCR published an online, searchable audit protocol that mapped HIPAA's requirements. The audit protocol is a valuable tool that organizations can use to conduct internal assessments of compliance with key HIPAA requirements, including security policy development, security monitoring and detection, security governance and management, workforce training, incident response planning, and business associate conduct and contracts.

HIPAA Audits. OCR has confirmed that its HIPAA audits will target common compliance issues and include both onsite and remote "desk views." The audits will include covered entities and their business associates, which often provide data processing and management services to the organization.

OCR's HIPAA audits will also review whether organizations have conducted enterprise-wide risk assessments to identify their technical and procedural vulnerabilities, and whether those assessments are then translated into remediation strategies, as well as operational policies and employee training. In addition, OCR is almost certain to examine organizations' preparedness to detect, respond and recover from security incidents and data breaches.

Action Steps for Covered Entities. Covered entities should conduct comprehensive risk assessments to identify issues for remediation before the OCR audits begin. To this end, covered entities should consider retaining qualified outside assistance to provide an objective view and to help develop a comprehensive plan that addresses physical, technical and administrative safeguards, and prepare and begin implementation of remediation plans.

OCR's online audit protocol is available at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html