OCRs Phase II Audit Program in Flux, But Covered Entities Still Need to Be Prepared, AIS Newsletter Reports

Washington, DC (PRWEB) October 08, 2014

The October issue of Atlantic Information Servicess Report on Patient Privacy offers coverage of remarks delivered by a senior Office for Civil Rights official during a recent HIPAA security conference.

The HHS Office for Civil Rights (OCR) is preparing to launch OCR Phase II Audits, a permanent audit program for covered entities (CEs). But as AISs Report on Patient Privacy (RPP) learned at a HIPAA security conference held in late September, OCR is still dealing with funding constraints and finalizing the program, as reported in its October issue.

We are hoping to implement Phase II soon, Iliana Peters, OCRs senior advisor for HIPAA compliance and enforcement, told the attendees during her closing presentation at the Sept. 23-24 conference co-hosted by HHS and the National Institute for Standards and Technology. However, it depends on a lot of factors, including resources, Peters said, joking that OCR might need to launch a Kickstarter campaign in order to fund it. Phase I, the pilot program, was completed more than a year ago.

When the program will begin, Peters said, hinges at least in part on the completion of some technology upgrades that will enable auditees to electronically submit data and documents directly to OCR, perhaps through a standardized template or portal. Beyond using the word soon, however, Peters did not specify when the program might commence or how many would be audited. A presentation slide with general time frames was said by Peters to be out of date.

In addition to not having technology in place, OCR also has not yet completed the protocol for Phase II, though Peters did not mention this. Aspects of the program that currently appear near finalization include the fact that most will be desk audits conducted by OCR staff. In the pilot, contractors visited CEs and conducted onsite reviews.

But, Peters emphasized, once Phase II begins, OCR will use it as an enforcement tool that, depending on what issues are discovered, may result in corrective actions. Peters said that even if no security breaches were reported, the agency would pursue an investigation if major compliance issues were found during the course of an OCR-initiated audit, and resulting actions could include settlements and monetary penalties. These, she said, are never off the table.

Visit http://aishealth.com/archive/hipaa1014-01 to read the article in its entirety, which also includes Audit Phase 2 Expectations from Peters presentation.

About Report on Patient Privacy

Report on Patient Privacy is the health industrys #1 source of timely news and business strategies for safeguarding patient privacy and data security. Published for hospitals and other providers, health plans and other HIPAA-covered entities and business associates, the 12-page newsletter focuses on privacy issues that can result in huge fines, penalties and public relations nightmares, including: security breach notification; business associate relations and agreements; and new federal privacy rules for marketing, fundraising, privacy notices, minimum necessary, patient rights and safeguarding privacy in EHRs. Visit http://aishealth.com/marketplace/report-patient-privacy for more information.

About Atlantic Information Services

Atlantic Information Services, Inc. (AIS) is a publishing and information company that has been serving the health care industry for more than 25 years. It develops highly targeted news, data and strategic information for managers in hospitals, health plans, medical group practices, pharmaceutical companies and other health care organizations. AIS products include print and electronic newsletters, websites, looseleafs, books, strategic reports, databases, webinars and conferences. Learn more at http://AISHealth.com.

Leave a Reply