The HHS Office for Civil Rights continues to develop its random HIPAA security audit program, and anticipates implementing it “expeditiously,” OCR Director Jocelyn Samuels said during a discussion with reporters on Jan. 13. But she won’t say if the long-delayed program will start this year.

OCR is working “very proactive” in developing the protocols for the program, Samuels said, but wants to make sure they get it right. “We will make announcements in the weeks and months to come so the industry will understand what to expect.”

The audit program, which will affect HIPAA-covered entities and business associates, will be another enforcement tool for OCR, with results informing the agency of systemic industry security deficiencies to hone in on.

Samuels indicated that OCR will continue to focus on “high-impact” breaches that demonstrate systemic deficiencies to send a message to organizations that fail to conduct risk analyses, ignore known threats or have insufficient workforce training. That’s a warning that the practice of imposing large fines and resolution agreements on organizations that OCR believes have disregarded HIPAA rules will continue.

During 2015, OCR expects to issue security guidance on cloud computing and other emerging technologies. However, the long-awaited HIPAA rule governing the accounting of disclosures of protected health information may be further delayed. OCR may solicit additional input from the industry and the rule remains on the long-term agenda, Samuels said.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access