We have been urging clients, covered entities and business associates to prepare for almost two years. As I have said many times, being prepared for an audit is more about taking the appropriate and responsible steps toward compliance and security than it is about the likelihood that your organization will actually be chosen.
Shifted Focus of Compliance Audits
OCR officials have faced many months of technical and procedural delays in kicking off the second round of HIPAA compliance audits. A lot of time has passed since we first began following news from the feds about their plans. In that time the mood of the country and of corporate America has changed. We have all witnessed major data breaches in virtually every industry – including the federal government itself. Consumers, patients, and clients are starting to demand better controls and better security for their valuable personal information. The high profile security issues that have occurred in the interim, will undoubtedly influence the audits planned for early 2016.
In a recent interview with Health Info Security , Attorney Anna Spencer speculated that the next round of audits could result in more costly enforcement action. The original round of audits conducted in 2012 was aimed at education. Several common areas were identified as compliance challenges for the organizations audited. By the time the next round of audits kicks into high gear, regulators will expect covered entities and business associates to have had time to come to grips with their compliance obligations.
Until now, significant enforcement penalties and settlements have come as the result of breach investigations. Given the time that has passed, the higher expectations of regulators, and increasing political pressure from Congress reflecting the growing concerns of their constituents, the next audits may carry more potential for preemptive enforcement action.
If You’re Not Audited, You’re Not Off the Hook
The greater possibility of fines or penalties raises the stakes on the upcoming audits. But if your company doesn’t get selected for an audit, are you off the hook? That particular hook maybe. But the evolving nature of the OCR audits also portrays the evolving nature of compliance. Covered entities and business associates can no longer pretend the HIPAA Rules are new or unfamiliar. Accountability and awareness are both at higher levels today. Based on lessons learned from the original audits and those learned the hard way, from recent breaches, OCR has stated that key concerns future audits and enforcement include:
- Computing device and storage media security controls
- Transmission security
- HIPAA privacy rule safeguards (workforce training, policies, procedures)
- Encryption and decryption
- Facility and physical access control
These priorities should be your organization’s priorities as well. It is true that you may never be selected for an audit. It is also true, but far less likely, that your company may not even suffer a security breach. Regulators, partners, and patients all still expect and require your due diligence toward compliance.