On February 12th, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued a notification seeking feedback on an upcoming information inquiry. The OCR is seeking input on its projected workload for a “HIPAA Audit Review Survey.” This survey comprises 39 questions to be completed online and will be distributed to 207 covered entities and business associates who took part in the 2016-2017 OCR HIPAA Audits. The purpose of the survey is to assist OCR in evaluating the effectiveness of the 2016-2017 HIPAA Audits in gauging the compliance efforts of covered entities.
This survey aims to gauge the effectiveness of the audit program in evaluating the compliance efforts of HIPAA-covered entities and their business associates. Additionally, it seeks to measure how these audits influenced subsequent actions taken by covered entities and business associates to adhere to HIPAA regulations.
The HITECH Act mandates that the Department of Health and Human Services (HHS) conducts yearly audits of HIPAA-regulated entities to evaluate compliance with the HIPAA Rules. Despite discussions about establishing a permanent audit program, such a program has yet to materialize. Instead, the Office for Civil Rights (OCR) initiated its first round of HIPAA audits in 2011 and then resumed auditing in 2016/2017 after a hiatus. Although OCR aims to fulfill this requirement of the HITECH Act, the department faces ongoing financial constraints, with little indication of additional funding from Congress.
While OCR could potentially fund an audit program through increased civil monetary penalties for HIPAA violations, recent reinterpretations of the HITECH Act language have led to reductions in penalty amounts, significantly decreasing OCR’s enforcement-generated funds. As a solution, OCR is advocating to Congress for an elevation of the maximum civil monetary penalties for HIPAA violations, which offers a more plausible remedy for its funding challenges compared to expecting a significant funding boost for the HHS.
Conducting investigations demands significant resources and often entails years before financial penalties can be enforced or cases resolved. The most recent enforcement action by OCR spanned over an 8-year period. In an effort to enhance efficiency, OCR has undergone restructuring aimed at optimizing resource utilization. This restructuring may have afforded OCR additional capacity to address the backlog of data breach investigations, potentially resulting in increased enforcement actions. Whether this will adequately support a costly permanent audit program remains uncertain, although the necessity for such a program is evident. Previous HIPAA audits revealed widespread noncompliance with the HIPAA Rules, and despite OCR’s escalated enforcement efforts in recent years, the likelihood of investigation or audit, along with facing financial penalties, remains low. Consequently, when resources are allocated among competing priorities, many HIPAA-regulated entities deprioritize HIPAA compliance.
The data gathered from the Survey will be utilized to enhance forthcoming OCR HIPAA audits. Feedback regarding the HIPAA Audit Review Survey should be submitted no later than April 12, 2024. This request for information may suggest that OCR is considering revitalizing its initiative to periodically audit covered entities and business associates to evaluate their adherence to HIPAA regulations.
If you need help in providing feedback on the OCR’s projected workload for the HIPAA Audit Review Survey, you may seek assistance from healthcare compliance and data protection experts. At MedicalITG, we can help you navigate the complexities of HIPAA regulations and provide valuable insights to enhance your compliance efforts. Contact us today for more information. Call us on (877) 220-8774 or email at [email protected].
Reference: https://www.hipaajournal.com/ocr-seeks-feedback-on-hipaa-audits/
