Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

New OCR Audits of HIPAA Practices Have Been Announced

OCR audits are taking place around the country.

(March 26, 2014) Last month, the Department of Health and Human Services Office for Civil Rights (OCR) announced that it will survey up to 1200 organizations as part of its plan to prepare for the latest round of OCR audits examining the HIPAA privacy practices of covered entities and business associates. More importantly, these organizations should be asking themselves – have you fully complied with the HIPAA Privacy, Security, and Breach Notification Rules?


I.            HIPAA Omnibus Final Rule:

In January 2013, HHS enacted a new rule to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)[1].  According to HHS, the HIPAA Final Omnibus Rule “greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”  The rule would afford patients increased protection and control of their personal health information.

The Final Rule expanded HIPAA’s Privacy and Security Rules beyond covered entities (i.e., health care providers, health plans and other entities that process health insurance claims) to also include business associates of these entities that receive protected health information (PHI). It also increased penalties for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. Furthermore, the changes strengthened the Health Information Technology for Economic and Clinical Health (HITECH)[2] Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

II.            HIPAA Pilot Audit Program:

Notably, HITECH requires HHS to perform periodic audits of covered entities and business associates in order to analyze their compliance with the HIPAA Privacy, Security, and Breach Notification Rules. HHS relies on its OCR to enforce these rules and assess whether covered entities and business associates are compliant.

In 2011, OCR established a pilot audit program to assess the controls, processes, and policies that covered entities had implemented to protect the privacy of PHI. Under this pilot audit program, OCR developed an audit protocol that would measure the efforts of 115 covered entities. Notably, every type of covered entity was eligible for an audit. As part of its ongoing commitment to protect patient health information, OCR also instituted a formal evaluation of the effectiveness of the pilot audit program.

In April 2013, OCR released its findings from the HIPAA audit pilot program. OCR found that most of the evaluated entities – which included health plans of all types, health care clearinghouses, and individual and organizational providers – did not conform to the three audit areas: the HIPAA standards for security, privacy, and breach notification. 

OCR also determined that most of the covered entities (two-thirds of the entities audited) failed to perform a comprehensive, accurate security risk assessment. Remarkably, OCR found that the most common cause of non-compliance was that the entity was “unaware of the requirement”. 

As to the privacy requirements, covered entities were most “unaware” of the notice of privacy practices for PHI, access of individuals to PHI, minimum necessary, and authorizations.  The security requirements that covered entities were most “unaware” of related to risk analysis, media movement and disposal, and audit controls and monitoring. 

OCR also found that “level 4 entities” – i.e.,  small providers (10 to 50 provider practices, community or rural pharmacies), entities with little to no use of health information technology, or providers with revenues less than $50 million –  were generally vulnerable and non-compliant in all three-audit areas. In fact, healthcare providers that fell into this category accounted for 65% of all policy violations.

III.            The Next Round of OCR Audits are Here:

In a February 2014 notice in the Federal Register, OCR announced that it would survey up to 800 covered entities and 400 business associates to gather information as part of the first step in selecting organizations for the next round of HIPAA audits. Specifically, the survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.” OCR intends to collect information that includes “recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.”

This latest survey may point to a revitalization of OCR audits, which have not been active since the conclusion of the pilot OCR audit program in December 2012. It will provide another opportunity for OCR to examine different mechanisms for compliance with HIPAA/HITECH, identify best practices, and discover new risks and vulnerabilities.

What can providers – as well as business associates – expect in the next round of OCR audits of provider HIPAA practices?  Providers should anticipate that HHS OCR will focus more specifically on many of the problem issues identified in the pilot audit program – timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training, and policies and procedures.

IV.  Final Remarks:

It is imperative that all covered entities and their business associates affirmatively review their practices to help ensure that they are fully compliant with all of the requirements demanded by the HIPAA Privacy, Security, and Breach Notification Rules.  With the latest survey set to preclude an additional round of HIPAA audits, OCR may be signaling a renewal or stronger push by its audit program.  So what should you do to prepare?

Ultimately, each and every covered entity and business associate needs to develop, implement and adhere to an effective Compliance Plan.  In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help develping and implementing your Compliance Plan?  Give us a call.

Healthcare AttorneyRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by RACs, ZPICs and other CMS-engaged specialty contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.

[1] Pub. L. 104-191, 110 Stat. 1936.

[2] Enacted under Title  XIII of fthe American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5).


  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.