The Department of Health and Human Services’ Office for Civil Rights had earlier announced that the audit program would resume in the fiscal year 2014. The latest update is that federal regulators are planning a permanent HIPAA audit program that would begin next year. According to the OCR Director Leon Rodriguez, the audits under the permanent program will be narrower in scope in comparison with the 115 audits conducted during the pilot program in 2012, so that more number of organizations can be audited.
While the permanent audit program will look at the level of compliance at both covered entities and their business associates, the audits will also focus on the vulnerabilities that may change every year as new issues come to the forefront. The pilot program and the OCR breach investigations conducted so far found a major weakness across entities- the lack of a thorough risk analysis. And therefore risk assessments will continue to be a top criterion for determining compliance.
OCR is yet to hire a contractor for the permanent audit program, and industry experts believe that OCR may work with more than one firm to conduct the next round of audits, or possibly choose a prime contractor who would work with several subcontractors.
According to Rodriguez, OCR is asking for a budget raise to fund the permanent audit program, and will also use $4.5 million from the HIPAA non-compliance penalties collected so far.
HIPAA Omnibus Enforcement Action
HIPAA Omnibus compliance enforcement began on September 23rd. So healthcare entities that are wondering about how this new rule is going to be enforced, should take cues from the previous enforcement actions, where the focus was on cases involving major security failures, and where a breach incident led to investigations and later revealed larger systemic issues. Inappropriate disclosure of data and denial of access to patients, are some other cases where enforcement action was seen earlier.
According to Rodriguez, OCR will leverage more civil penalties, and the office has approval to bank these penalties to fund the enforcement actions across fiscal years. In his opinion, this will also enable OCR to maximize funding of the audits and breach analysis activities.
This would mean that entities can expect the monetary penalties imposed by OCR to be significantly higher. The smartest way to deal with this would be to prevent security breaches, ensure compliance, and prepare well in advance for the upcoming audits. Aegify Security Posture Management and Aegify SecureGRC can greatly simplify the process of achieving security and compliance, and enable entities to face the upcoming audits with confidence.