- For all the consternation about the HIPAA omnibus rule going into effect on Sept. 23, at least that’s a finite date that healthcare organizations can be mindful of. A specific timeline of when the Office for Civil Rights (OCR) will be making its next round of HIPAA audits after visiting 115 organizations in 2012, however, remains shrouded in mystery.
Drinker Biddle partner Jennifer Breuer and senior advisor David Mayer (former senior advisor for OCR compliance and enforcement), who talked about their experiences with business associates (BAs) with HealthITSecurity.com recently, also dicsussed OCR’s role in future audits. OCR recently offered a short-term audit plan, but it’s anyone’s guess what’s going to happen long-term.
“We need a lot more clear guidance that’s specific to health information exchanges (HIEs) and sharing data in open-architecture systems,” Breuer said. “[Many organizations] are flying by the seat of their pants in a way and making it up as they go along. You can’t really help it, though because they haven’t heard what they need to do.”
Mayer drew upon his OCR experiences and explained that while he doesn’t know the exact timeline for these audits, he believes smaller organization need further security guidance.
I think the [115 audits so far] were very valuable to both the government and to the entities that were audited to find where the problems were in their systems. It comes as no surprise that the small doc shops were having many more problems than 2,500 bed teaching and research hospital. And that’s been proven out, especially more so on the security side than on the privacy side. The small providers just don’t seem to have the wherewithal to meet the compliance standards on the IT side. I know OCR and NIST are trying to work on guidance for smaller providers, but that guidance doesn’t exist yet.
The HIPAA omnibus rule further complicates things for these organizations, as there’s more responsibility being dealt out. Mayer guesses that the audits will happen sometime early next year.
I know there’s another round of audits planned, but I don’t know when they’re going to start – presumably early FY14. With HIPAA omnibus coming into effect soon, the number of covered entities that could be in that potential pool (of audits) has gone up by a factor of five. I wouldn’t be surprised if there were any number of BAs included in the next round.