OCR seeks HIPAA audit feedback

Want to answer big question: did audit process help improve HIPAA compliance?
By Erin McCann
10:57 AM

The Department of Health and Human Services wants to talk HIPAA audits with those covered entities who have experienced and endured the process itself. HHS will be surveying healthcare entities audited last year through the HIPAA Audit Program to better gauge the efficacy of the audits, in addition to the entities' perspectives regarding the process.

According to a notice in Thursday's Federal Register, 115 HIPAA-covered entities — including providers, health plans and clearinghouses — will be surveyed to measure attitudes toward the onsite visits, audit report findings and document request communication.

OCR officials also want to know the costs covered entities incurred by responding to audit-related requests. Moreover, the agency is seeking feedback for processes and whether or not they found value in the HIPAA Audit Program. In other words, did the program improve HIPAA compliance and better help to protect patient protected health information.

[See also: ISU hands over $400K for HIPAA violation.]

To date, OCR has collected $15.3 million in HIPAA violations enforcements and settlements, with the lion's share coming from resolution agreements.

The most recent HIPAA settlement involved Idaho State University who agreed to pay $400,000 in May stemming from an incident where it disabled its firewall protections for nearly one year, compromising the protected health information of 17,500 patients.

[See also: Breach after patient data posted online.]

When KPMG, the firm contracted to conduct OCR audits, audited the 115 covered entities in 2012, OCR Director Leon Rodriguez said a number of diverse entities were found to have an ineffective risk analysis. “We found there were entities that encrypted and entities that did nothing at all,” Rodriguez said at HIMSS13 in New Orleans.

Rodriguez explained that a total of 77,000 complaints have been filed, with approximately a third of them resulting in investigation. "We are going to primarily work constructively with providers to correct whatever privacy issues are discovered in our investigation," he added.

[See also: HHS makes 'sweeping' changes to HIPAA.]

Rodriguez acknowledged that enforcement is far from the only piece to the puzzle. Proper education matters too. "As we talk about audit enforcement and breach notification, we're also taking seriously our obligations to engage in education. I simply don't think that it's fair to be coming out with a strong enforcement posture if we're not also about the business of providing an effective road map for covered entities on how to comply."