Health Information Compliance Alert

Published on Tue May 14, 2019 PDF

Question: With all the recent news on increased HIPAA enforcement, should we be worried about a federal audit of our privacy controls?

Codify Subscriber

Answer: Though the HHS Office for Civil Rights (OCR) Audit Program online resource is still available for review, the HIPAA Phase 2 program isn’t up and running anymore.

“The HIPAA Audit Program has, essentially, been terminated, which is too bad, because the audits, when implemented properly, can be a valuable tool for discovering where there are weaknesses in compliance, either by the fault of covered entities, or through inappropriate regulatory requirements,” says Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, Vermont. “Phase 2 was terminated without coming to a conclusion, and ‘Phase 3,’ yet to come, was identified in the fall of 2018 as a report generating recommendations based on Phases 1 and 2.”

Others agree that the program just seemed to disappear. “Phase 2 of the Audit Program seems to have fizzled out,” laments Philadelphia-based attorney Edward I. Leeds, of national law firm Ballard Spahr LLP, in online analysis.

Audits may come back down the line, especially since they are tools to help providers overcome compliance issues and manage their HIPAA risks. Leeds advises not to hold your breath. “Although audits may be revived at some time in the future, it is more likely that OCR will dedicate its limited HIPAA resources to investigations,” he writes.

OCR did update 13 questions on its Audit Protocol website last summer, with no major changes to HIPAA. The information was “based on the experience gained in questioning during the 2016 round of audits,” Sheldon-Dean notes. “Despite promises from HHS staff, a change history has not been provided, and the update itself was never announced.”

Remember: “Audits are meant to be a learning tool for covered entities and HHS,” reminds Sheldon-Dean. “I don’t think the Audit rules will be used for enforcement purposes, as it would require developing a program, while simply responding to complaints and breaches provides plenty of fruit for making examples of rule violators.”

Tip: Whether or not the HIPAA Audit Program makes a comeback, there’s never been a better time to up your compliance capital with updated policies. Take advantage of this reprieve to assess your risks and act on them with concrete management tactics. And remember, document everything — because if OCR does roll out the audit patrol, the first thing they’ll ask for is written proof of your compliance plan.

Check out the OCR guidance on the HIPAA Audit Program at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html#when.