Federal regulators are planning for a permanentHIPAAaudit program that will begin next year. But the audits will be narrower in scope than the 115 in the pilot program during 2012, helping pave the way for a higher number of organizations to be audited.
OCR (Office for Civil Rights) hopes to be off and running in the next calendar year.
Earlier, OCR had announced the audit program would resume sometime in fiscal 2014, which begins Oct. 1, 2013. OCR officials also indicated that business associates, as well as covered entities, will be audited in the permanent program because they're liable for HIPAA compliance under the HIPAA Omnibus Rule.
In OCR's audits andbreachinvestigations, they will really look at the level of compliance at both covered entities and business associates.
Under the permanent program, audits will focus on vulnerabilities that might change year to year as new issues come into focus.
A major weakness found during the pilot audit program, as well as through OCR breach investigations, has been a lack of thorough risk analysis.
OCR has been hiring personnel with experience in audits who will work with a contractor that will be hired for the permanent program.
Mac McMillan, CEO of CynergisTek Inc., an information security consulting firm, said it's possible that OCR could chose to work with more than one firm to conduct the next round of audits, or perhaps choose a prime contractor that works with several subcontractors.
McMillan speculated that the current budgetary climate in Washington, with the threat of the federal government shutting down in a dispute over pulling the plug on federal healthcare reform, is one reason why OCR is waiting until next year to launch the permanent program.
OCR is asking for a budget increase and also will use $4.5 million in collected HIPAA non-compliance penalties to help fund its audit program.
Enforcement actions to date have focused on cases involving major security failures, where a breach incident led to investigations that revealed larger systemic issues. Other enforcement cases have included inappropriate disclosure of data and the denial of access to patient records to patients.
Additionally, OCR is expected to leverage more civil penalties. The OCR has approval to bank penalties it collects to fund enforcement actions across fiscal years. Being able to bank penalties will enable OCR to maximize funding their auditing and breach analysis activities.