HIPAA Compliance: What's Next?OCR's Plans for Enforcement, Guidance and Rules
See Also: Creating a Culture of Security
Those plans by the Department of Health and Human Services' Office for Civil Rights include the next phase of the HIPAA compliance audit program; new guidance to help covered entities and business associates navigate a variety of HIPAA compliance requirements; and new regulations for accounting of protected health information disclosures.
It's still uncertain exactly when the next round of the audit program will kick off.
OCR had hoped to kick off phase two of its HIPAA compliance audit program this fall, but officials recently revealed it's delayed. The culprit: technology that's still being rolled out at the agency that will allow OCR to collect audit related documentation from covered entities and business associates via a Web portal (see HIPAA Audits: Revised Game Plan).
Iliana Peters, senior adviser for HIPAA compliance and enforcement at OCR, told an audience at last week's annual HIPAA symposium hosted by OCR and the National Institute of Standards and Technology that it's still uncertain exactly when the next round of the audit program will kick off.
"We hope to implement [the program soon]. It depends on a lot of factors including resources," she says. "We contemplate doing mostly internal audits" of covered entities and business associates, conducted remotely by OCR staff, Peters added.
That position appears to be a shift from earlier in September, when another OCR official told a different conference audience that OCR planned to do more comprehensive on-site audits and fewer remote "desk audits."
I asked an OCR spokeswoman to clarify. She explained that the scope and timing of future audits is still in development, including how many desk and onsite audits will be conducted.
While Peters indicated at the event that "resources" were a factor in the uncertainty of when the program would re-launch, the OCR spokeswoman didn't directly address for me whether uncertainty over federal funding for OCR's enforcement activities was a contributing factor in OCR's delay in finalizing its audit program plans.
"We cannot speculate on the content of the fiscal year 2015 appropriation and what it will mean for our activities, as the legislation has not been passed," she says.
In any case, Peters says that once phase two of the audit program resumes, organizations chosen for remote desk audits need to be timely, accurate and concise in the documentation they provide to OCR. That includes not annoying auditors by submitting "extraneous information" that OCR didn't request.
"Failure to submit response to requests may lead to referral for regional compliance review," Peters said.
And that's where your organization don't want to end up. Remember: OCR compliance reviews are an enforcement tool that can potentially result in organizations facing corrective action plans, and possible resolution agreements involving financial penalties.
"Whether or not [a compliance review] results in a settlement is never off the table," Peters confirmed for the audience.
Related to the audit program, OCR also is working on updating its audit protocol for covered entities and creating a new audit protocol for business associates. BAs became directly liable for HIPAA compliance under the Omnibus rule last year and are subject to OCR enforcement actions, including financial penalties that range up to $1.5 million per HIPAA violation.
Help is on the Way
Not everything at OCR is about trying to catch covered entities and BAs that are coming up short with HIPAA security and privacy compliance. The agency also tries to play good cop and teacher.
In that vein, Peters says OCR is also gearing up to provide covered entities and BAs with additional resources to make their HIPAA compliance efforts a little easier.
Among the resources OCR is working on is guidance on the HIPAA Omnibus breach notification rule, including tools to assist organizations in assessing whether a security incident is a reportable breach, Peters says.
OCR is also planning an update on breach safe harbors (like encryption of data at rest on a stolen or lost laptop); and new guidance for minimum necessary information (how to limit the protected health information that's used or disclosed to satisfy a particular purpose or carry out a function); and marketing (when PHI can and cannot be used for marketing purposes).
Additionally, OCR is also again working on updating its rule for accounting of disclosures of PHI, Peters says. That work had been on hiatus as federal advisers last year hammered out some new recommendations (see Testing Accounting Of Disclosures).
OCR in May 2011 issued a notice of proposed rule making for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision (see EHR Access Report Objections Pour In).
The recent recommendations by federal advisers include a suggestion that OCR and its sister HHS agency, the Office of the National Coordinator for Health IT, launch pilots to test technical capabilities supporting accounting of disclosures involving PHI from electronic health record systems before a final rule is issued.
Besides an accounting of disclosures rule, other rules in the works include a final rule for the National Instant Criminal Background Check System, and methods for sharing a portion of breach penalty amounts with harmed individuals, Peters says.
While OCR officials don't indicate when exactly the agency plans to issue the various guidance material or rules, or pinpoint when the HIPAA audit program will resume, I hope the agency will be accomplishing much of that before next Sept. 23, when another HIPAA omnibus anniversary rolls around.
"OCR is committed to implementing an effective audit program," says the OCR spokeswoman. "Organizations should continue to monitor the OCR website for future announcements on the program."
So, for now, stay tuned. The next 12 months will see plenty of regulatory activity worth monitoring.