OCR Audit Results Give First Look at BA Issues, Show Risk Analysis Still Problematic

Among the biggest questions the HIPAA compliance world has about the HHS Office for Civil Rights’ (OCR) fledgling audit program is what it will be like when it stops being fledgling.

The answer, at least to date, isn’t very satisfying: We don’t know what a “permanent” audit program will entail. The second pressing question of privacy and security officers is whether any of the recently audited organizations got into trouble, i.e., faced enforcement actions. Apparently they did not.

OCR has been slowly building a permanent audit program since 2011, as required in the 2009 HITECH Act. While OCR has stated the early audits would generally not result in punitive measures, it’s always been the fear it will, once the program really gets going.

Even with those details lacking, covered entities (CEs) and business associates (BAs) were eager to hear what Zinethia Clemmons, director of OCR’s HIPAA Compliance Audit Program, had to say about the conclusion of Phase II of OCR’s audits. It has been five years since the results from Phase I had been shared, so that added to the suspense (RPP 3/13, p. 1). But interest had also swelled because BAs were audited for the first time, and the state of their compliance was expected to be revelatory.

So how did BAs do in demonstrating compliance with the security and breach notification rules? Not so bad. “I was actually surprised that the business associates scored slightly better than the covered entities,” health care attorney Adam Greene told RPP.

Under this, the last phase of the audit pilot program, OCR reviewed 207 organizations for compliance with the privacy, security and/or breach notification rules. Of these, 166 were CEs; 103 were audited for privacy and breach, and 63 for security. Forty-one BAs were audited; all were assessed for compliance with breach and security rules.

The audits were of the “desk” type, versus onsite, meaning that officials reviewed written policies and procedures and other documents. OCR had intended to conduct some of them onsite, but that idea did not pan out.

Clemmons acknowledged the long process to complete the audits and reveal their findings.

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field