The HHS Office for Civil Rights will begin Phase 2 of its long-awaited audit program in early 2016 to determine compliance of covered entities and business associates with HIPAA privacy, security and breach notification rules.

“We’re doing the work now to be ready to do that,” says Deven McGraw, OCR’s deputy director for health information privacy. “This doesn’t seem like a delay to me. But, I recognize that the regulated community has been anticipating this next phase of our audit for some period of time.”  

McGraw, who has been in her position since this summer, is responsible for HIPAA policy and enforcement at OCR. “My job was held by someone in an acting capacity for well over a year. It’s not always easy to get hiring done promptly in the federal government,” she observes. “Between that and the fact that we were always operating with constrained resources here, we were not able to implement the program maybe as early on the heels of Phase 1 as we would have liked.”

Last month, an HHS Office of the Inspector General report found that OCR “has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities” and described OCR’s oversight as being “primarily reactive” by only responding to complaints.

However, McGraw says that in Phase 2 of its audit program covered entities will be reviewed for HIPAA compliance regardless of whether or not a complaint has been filed against them.

“We see audit as an additional tool in our compliance toolbox. Complaints and investigations are another tool,” she argues. “Audit is a tool that we can both use to see what’s going on in the field in terms of compliance, but also as an enforcement tool in cases where what we’re finding in the audits is significant non-compliance.”

Also See: Facing a HIPAA Audit? Here is What Auditors Want

Phase 2 of OCR’s audit program will be more focused on “desk” audits of policies and procedures compared to Phase 1, McGraw reveals. OCR hopes this approach will enable the agency to be more effective in the audit with smaller resources than would be required to support full onsite audits across the board.

“We would be auditing aspects of the rule based on a review of policies and procedures that are sent to us by the entities that we’re auditing,” she discloses. “It is usually a bit more focused on certain aspects of regulatory compliance versus a full-scale audit of every aspect of the program, reserving that sort of full-scale review to a smaller number of entities that could be identified as part of the desk audit or potentially selected right from the start from the audit pool. We’re still making some decisions about that.”  

According to McGraw, OCR will include both covered entities and business associates in the next round of audits. “This is the first time that our audit program is directly looking at business associates,” she comments. “We are going to try to get a range of different types and sizes in our audit pool.”

Regarding business associates, McGraw acknowledges that “a lot of covered entities have raised concerns about business associate compliance.” But, at the same time, she says business associates have “also raised concerns about the compliance of the covered entities that they work with.”

McGraw believes it is important for OCR to “peek under the hood” of business associates that get selected for audits “so that we can start to learn more both from a compliance standpoint about where the industry is and also where some of those pain points are” in the relationship between covered entities and business associates.

According to McGraw, OCR has committed to making the audit protocol available to the public so there is an opportunity for stakeholder feedback before the program is implemented early next year. “I really would like to get started by the end of the first quarter of 2016, but I think the best that I can say is that it is a desired endpoint versus a certain one,” she admits.      

“HITECH directed us to have a program of periodic audits and we will endeavor to do that,” McGraw emphasizes. Although OCR has not fully implemented a permanent audit program, as OIG recommended in its report last month, she asserts that the office “has taken significant steps to doing so” including a full evaluation of OCR’s Phase 1 audit program which will be “used to inform the audit we’re doing in Phase 2.”

Nonetheless, McGraw concludes that “it’s a bit premature to say what a permanent audit program would look like in part because we really do want to learn from our Phase 2 audit.”  

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access