On September 29, it was revealed that the HHS Office for Civil Rights (OCR) will commence Phase 2 of its HIPAA audit program in “early 2016.” OCR’s revelation regarding the Phase 2 audits, which had been the subject of significant industry speculation, came in response to two related reports on OCR’s oversight and enforcement of HIPAA compliance by the HHS Office of Inspector General.

The OIG reports, available here and here, present a mixed-bag for OCR regarding fulfillment of its obligations under HIPAA to date. The OIG reports are based on a review of certain privacy cases and breaches reported to OCR between September, 2009 and March, 2011, and also interviews with OCR staff. The OIG reports contain a number of observations regarding OCR’s HIPAA compliance practices, including:

  • OCR’s HIPAA Privacy Rule oversight is primarily reactive in response to complaints;
  • OCR has not fully implemented the HIPAA audit program required under the HITECH Act;
  • Cases where OCR identified HIPAA non-compliance most frequently involved hospitals and individual providers;
  • OIG identified 23 covered entities within its sample that were investigated by OCR at least five times each; and
  • OCR investigated all large breaches (breaches affecting at least 500 individuals) but did not document investigations into all small breaches (affecting less than 500 individuals) reviewed.

OIG then made certain recommendations for OCR to improve its policies and practices, including:

  • OCR should fully implement an audit program;
  • OCR should improve its documentation of corrective actions and small breaches;
  • OCR should track previous breaches and investigations of covered entities; and
  • OCR should develop a policy whereby OCR staff routinely check whether covered entities have reported previous breaches.

Beyond announcing the Phase 2 audits, implementation of the OIG’s remaining recommendations is likely to enhance OCR’s enforcement activities by allowing OCR to more effectively leverage past non-compliance against entities facing allegations of HIPAA violations. OIG’s findings suggest that certain covered entities are repeatedly violating HIPAA, and may have systemic compliance issues that merit heightened corrective action. Allowing OCR staff to track past corrective actions and routinely check previous breaches will enable OCR to increase penalties against entities identified as repeat offenders.

In addition to the OIG’s conclusions, it is important that all entities subject to HIPAA recognize that OCR’s Phase 2 audit announcement means that this is the final call for such entities to prepare for a HIPAA audit by assessing, and if necessary implementing, their HIPAA compliance policies and procedures.