Skip to main content

OCR Building HIPAA Audit Plan With Outside Help

 |  By dnicastro@hcpro.com  
   May 24, 2010

HIPAA's privacy and security enforcer has hired an outside firm to help build its HITECH-required HIPAA auditing plan, the government agency tells HealthLeaders Media.

The Office for Civil Rights (OCR), which carries out for the Department of Health & Human Services (HHS) enforcement of the HIPAA privacy and security rules, says it does not have a timetable for when the audit plan begins.

However, in an e-mail to HealthLeaders Media Thursday, May 20, OCR says it is "presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement."

The firm is Booz Allen Hamilton.

HITECH, signed into law by Congress February 17, 2009, requires OCR to conduct "periodic audits" of covered entities regarding HIPAA privacy and security compliance.

The contractor will help OCR with the "how" and "when" of the audit program.

Sue McAndrew, the deputy director for Health Information Privacy for OCR, told HealthLeaders Media at the 18th Annual National HIPAA Summit in February that "there are 1,000 ways to do this."

Talk of enforcement heated up this month at a national security conference, according to Mac McMillan, CEO of CynergisTek™ and one of the speakers at the Washington, DC, conference–"Safeguarding Health Information: Building Assurance through HIPAA Security."

The conference was hosted by HHS, OCR and National Institute of Standards and Technology (NIST).

MacMillan praised OCR for what he called a "proactive" approach to carrying out the provisions in the HITECH and maintaining transparency in the process. He said the longtime privacy enforcer, which this year took over enforcement of the security rule from CMS, is "doing a much better job than its predecessor."

"OCR is much more organized and is quietly getting its stuff together," says MacMillan, who has had conversations with top OCR officials. "With CMS, enforcement just didn't really fit. OCR on the other hand has been in the business of investigating privacy issues since Day 1."

When asked if it will audit entities who report breaches of unsecured protected health information (PHI) affecting 500 or more individuals, OCR tells HealthLeaders Media it has not "determined how the HITECH audit requirement will be implemented."

HITECH requires OCR to post on its website those entities who report the 500-or-more patient information breaches.

As for breaches below the 500 mark, OCR says it does not intend to publish breach information on those report.

"However," OCR says, "summary data will be included in OCR's annual report to Congress about breaches."

Though no enforcement plans have been announced regarding HITECH provisions, OCR says it is serious about it. OCR gained 36 FTEs dedicated to HIPAA privacy and security rule compliance and enforcement this fiscal year and is now up to 132.

OCR has obtained corrective action—meaning entities taking significant and important actions to change practices to come into compliance with the privacy rule—in more than 14,900 cases since 2003.

"They're focused clearly on compliance," McMillan says.

The CEO praised OCR for reaching out to the industry–and general public–regarding its "Request for Information for Accounting of Disclosures Rulemaking."

In that May 3 Federal Register posting, OCR asks providers and the public several questions to help it produced a proposed rule on accounting of disclosures on EHRs; that HITECH provision is due out in June and gives patients greater rights to disclosures on their EHRs.

"They're engaged," McMillan says. "They're not afraid to talk about this. I think they're doing a lot more that most folks aren't seeing yet."

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.