Healthcare Information Security

HIPAA and Compliance News

OCR provides short-term HIPAA audit program plan

By Patrick Ouellette

- The third installment of The Office for Civil Rights (OCR) and Workgroup for Electronic Data Interchange (WEDI) webinar series on Wednesday mainly focused on HIPAA Omnibus Breach Notification rules. But there was also some important information toward the end of the presentation that provided updates on OCR’s HIPAA audit program.

This is OCR’s multi-year audit plan that includes vendors and a time frame for its evaluation vendor, Price Waterhouse Coopers (PwC), LLP:

OCR has completed audits of 115 entities, including 61 providers, 47 Health Plans and seven clearinghouses. In total, OCR had 979 audit findings and observations, including 293 Privacy, 592 Security and 94 Breach Notification. In doing so, OCR came to some of these conclusions:

- Smaller entities struggle with all three areas

- Still assessing need to follow-up on individual auditees

- Help identify compliance areas of greatest weakness

- Evaluation underway to make audits a permanent part of enforcement efforts

Overall Findings & Observations

Overall Cause Analysis

In evaluating the findings and observations cited in audit reports, OCR found that the most common cause across all entities was an entity being unaware of the requirement, which was in 30 percent (289 of 980) of findings and observations:

- 39 percent (115 of 293) of Privacy

- 27 percent (163 of 593) of Security

- 12 percent (11) of Breach Notification

According to OCR, most causes are related to elements of the rules that explicitly state what a covered entity must do to comply. Other causes noted in the presentation include but are not limited to lack of application of sufficient resources, incomplete implementation and complete disregard for HIPAA.

Next OCR steps

OCR revealed some details about its Formal Program Evaluation for the rest of 2013, including internal analysis for follow up and next steps:

- Creation of technical assistance based on results

- Determine where entity follow up is appropriate

- Identify leading practices

It wants to revise overall HIPAA protocol to reflect Omnibus Rule, as well as ongoing program design and focus:

- Business Associates

- Accreditation /Certification correlations?



SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks