OCR unleashes second wave of HIPAA audits, but will it diminish patients' privacy and security expectations?
The Office for Civil Rights has begun its second wave of HIPAA audits and already the question is arising: Will the program actually succeed in its effort to improve privacy and security practices and, ultimately, protect patient data? Or will it have the opposite impact?
Prominent health attorneys aren't expecting an answer in the short-term. What they are anticipating, however, are plenty of penalties in 2016 as the drum beat of data breaches continues apace.
"The initial couple rounds of audits under the new fuller procedure will result in a fair amount of fines being levied since that money will go right to OCR and probably help fund the audit program going forward," said Matthew Fisher, an associate at Mirick O'Connell and chair of the firm's Health Law Group.
David Harlow, a health lawyer, consultant and founder of The Harlow Group, explained that OCR is "consistent in saying that the audit process is not a witch hunt."
OCR, for its part, described the HIPAA audit program as an "an important tool to help assure compliance with HIPAA protections, for the benefit of individuals," as well as the opportunity to examine mechanisms for compliance and potentially discover vulnerabilities it might not yet fully understand.
To that end, the second wave, which OCR said will start this week, will include approximately 200 audits – most of those being "desk audits" – by the end of 2016.
OCR added that it intends to use the second wave to identify best practices and, in turn, share that guidance with covered entities. The office, however, still has to compile and deliver that manner of guidance at some yet-to-be-specified point in the future.
Although the forthcoming best practices won't help those 200 covered entities that get audited this year, Fisher expects OCR to post "a checklist that everyone else should review and use for a self-assessment."
The problem for now, Harlow said, is that healthcare organizations do not even have a draft audit protocol from OCR.
"While OCR is certainly fielding many complaints and taking action on cases before it, we have limited structural, systemic improvements in privacy and security," Harlow said.
What's more, earlier pilot audit waves showed that most healthcare organizations had a certain degree of non-compliance with the HIPAA privacy and security laws, Fisher explained.
In other words: Here come the HIPAA audits. And even though OCR has yet to clearly outline what healthcare providers should expect exactly, one thing to anticipate is plenty of financial penalties.
"Who loses out as a result? Patients," Harlow said. "The breaches continue, free credit monitoring services are offered, and we all move forward with a diminished expectation of privacy and security."