The Office for Civil Rights (OCR) has been stating publicly that it will gear up for its second round of HIPAA audits for some time, and the time has come. The OCR has officially started the next round of audits of covered entities, round two will include audits of business associates for the first time.
Although business associates have been regulated entities under HIPAA since 2013, there have been no enforcement fines and/or penalties assessed against a business associate by the OCR to date.
The OCR has given covered entities and business associates time for compliance, and this new round of audits will not be as kind as the last. We have seen a change in the tone of investigations and enforcement actions by the OCR in the last two years and it is losing patience with covered entities and business associates being lax with compliance.
Although the new audits will include the old reliable questions, we anticipate that the OCR will look deeper into covered entities’ and business associates’ compliance with the Security Rule, including completing a security risk assessment, ongoing risk management, frequent training of employees and business associate agreements. All of these areas have been a focus of the OCR in the recent past, and such is evident from the most recent fines and penalties assessed against covered entities.
Being part of an OCR audit or investigation is time consuming, disruptive and uncomfortable even for the most compliant. Get your ducks in a row now and be ready. Both covered entities and business associates would do well to review their HIPAA compliance programs with a focus on risk assessments, risk management, employee training and business associate agreements.