2016: Year of the HIPAA Audit – Are You Prepared?
by Donna Koger, 10.29.15
HIPAA 2016: Part 1: What’s On the Horizon?
The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) issued two reports recently calling for the HHS Office of Civil Rights (OCR) to strengthen its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts. In response to these reports, HHS announced that it will launch HIPAA audits early next year  in order to be more proactive in HIPAA enforcement.
OCR recently stated in a media report that audits were expected to start in 2016, but in a September 23, 2015 letter, the office more specifically said that audits will start early in the year.
As a result, the FY 2016 Budget for the Office for Civil Rights (OCR) is $43 million, an increase of $4 million over FY 2015. We should all have such an increase in revenue, eh?
Why The Change?
The increase in funds will support OCR’s audit program which was mandated by the HITECH Act to conduct periodic random audits to assess entity compliance with HIPAA.
The audit program will help ensure HIPAA compliance by covered entities and business associates, while also informing OCR on areas to direct its enforcement and technical assistance.
In addition, the increase in funds will support OCR’s continued expansion and improvement of its operations unit, which has significantly improved its efficiency by receiving, recording, triaging, and distributing complaints for evaluation and resolution.
To that end, OCR has established a comprehensive audit protocol that contains the requirements to be assessed through audits. A detailed list of OCR protocols when administering audits is available here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.
The inspector general wrote in a report issued September 22, 2015, “HHS is vowing to launch audits early next year  to gauge compliance with privacy provisions of HIPAA . . . without fully implementing a permanent audit program, OCR cannot identify covered entities that are non-compliant.”
Covered entities to be included in the audits are health care providers, insurers, clearinghouses and business associates. They are all required to disclose suspected breaches of protected health information and audits can examine compliance with various obligations related to the privacy and physical security of PHI.
What Does This Mean For You?
So what does all this government money mean for you? Unfortunately, it means there will be more audits beginning in early in 2016 so be sure you are prepared. For mental health audit tips, see Who’s Afraid of the Big Bad Audit.
Find more complimentary resources in our HIPAA Resource Center.
Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.