The Office for Civil Rights recently announced that it will begin HIPAA audits in early 2016 after a series of delays.
The announcement is likely a response to the Department of Health and Human Services report released in September that found the OCR “has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities.”
Under the Health Information Technology for Economic and Clinical Health Act, or HITECH, HHS is required to perform periodic audits of covered entities and their business associates in order to ensure HIPAA compliance.
RELATED: Businesses Associated With Hospitals Could Face HIPAA Audits
HITECH was passed in 2010 and a pilot program was established for the OCR’s audits the following year. But the roll out of the second phase of the audits had stalled, according to mondaq.com, and the HHS report described the OCR’s oversight as being “primarily reactive” by only responding to complaints.
The report also gave several recommendations. It stated that the OCR should:
- Fully implement a permanent audit program
- Maintain a complete documentation of corrective action
- Develop an efficient method in its case-tracking system to search for and track covered entities
- Develop a policy of requiring OCR staff to check whether covered entities have been previously investigated
- Continue to expand outreach and education efforts to covered entities
Covered entities include doctors, pharmacies, health insurance companies and business associates.
The report stated that “OCR concurred with all five recommendations and described its activities to address them.