Close Server: KOPWWW05 | Not logged in

Privacy Point

OCR's 2015 HIPAA Audits

This year will be remembered as the year of regulatory delay in healthcare.

This year will be remembered as the year of regulatory delay in healthcare. First it was ICD-10 and then Meaningful Use Stage Two. Now the Department of Health and Human Services' Office for Civil Rights (OCR) has pushed the next phase of HIPAA privacy and security audits out until sometime in 2015 as explained by Linda Sanches, OCR's health information privacy senior advisor during the 4th Annual HIMSS Privacy and Security Forum held September 9, 2014, in Boston, Massachusetts.

The revised game plan calls for a select number of covered entities (CEs) and business associates (BAs) to be audited through a combination of remote "desk audits" and onsite evaluations. The exact number of organizations to be audited continues to vary-as does the exact timeline for the audits to begin.

While everyone awaits a new official start date for the second round of HIPAA privacy and security, a few things are certain:

  • Organizations will have already received a pre-audit questionnaire if they have been selected for an audit. These questionnaires were sent in July and August 2014.
  • OCR will determine which organizations should take part in more in-depth desk audits based on the pre-audit survey data received.
  • If selected for a desk audit, documentation must be timely, accurate and concise. Organizations will have ten days from the date of the audit letter to respond. A new OCR web portal is being implemented to collect documentation and streamline the audit process.

Beyond these high-level parameters, there are a few known target areas for the 2015 audits.

Key Targets Identified
A few key target areas for the 2015 audits are listed in the table below. These fall into three categories: general information risks, security risks and privacy risks.

All efforts to mitigate breach risk associated should be thoroughly documented, and documentation should be made available upon auditor request.

Information Risks Security Risks  Privacy Risks 
failure to encrypt data and devices social media employees (breaches by insiders)
BYOD: bring your own device  mobile devices   
cloud storage  photocopiers   
business associates (BAs)     
networked medical devices     

Setting Expectations
Auditors will be looking for practical application of privacy and security policies throughout the entire organization. In addition, there should be documentation of an organization's attempt to detect new threats and intrusions as well as identify potential problems. Software application audit trails and logs will be helpful to offer a back-end view of the system, record key activities, and show system threads of access, changes and transactions.

Furthermore, be prepared to provide forensic evidence of any investigation for suspected or known security incidents and breaches to patient privacy, especially if there were sanctions against a workforce member, business associate or other contracted agent. All disclosures of PHI must be tracked along with responses to any patient privacy concerns. Finally, organizations should be sure to evaluate the overall effectiveness of their policies and user education regarding appropriate access and use of patient information.

Trigger Events
I believe this next wave of audits will use a methodology similar to the Joint Commission's Tracer evaluations. If there is focus on a particular issue or incident, then all documentation related to that incident must be made available for the auditor's review with particular focus on the items mentioned above.

Organizations must identify and define "trigger events" -- the criteria that will flag questionable access of confidential, electronic PHI and therefore prompt further investigation. Some triggers will be appropriate to the whole organization, while others will be specific to a department or unit. Review your trigger events on a regular basis and update them as necessary.

Getting Beyond Check-the-Box
For HIM professionals, the most important thing to remember about OCR's 2015 audits is that your organization's HIPAA privacy and security efforts must go beyond checking boxes and maintaining binders. The new round of audits will focus more directly on practical, day-to-day application of established policies and procedures to answer questions such as the following:

  • Is there a consistent message regarding privacy and security?
  • Is there consistent corrective disciplinary action?
  • Does the overall HIPAA program demonstrate compliance and integrity?

It's time for your HIPAA compliance program to make a significant impact on your organization's culture and behavior.

Rita Bowen is senior vice president of HIM and privacy officer at HealthPort. She can be reached at

Privacy Point Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company