New round of HIPAA audits begin, with focus on providers' business associates

The second phase of HIPAA audits will focus on healthcare providers as well as their business associates, the U.S. Department of Health and Human Services Office of Civil Rights announced this week.

The second round of audits, which began Monday, will include 200 desk and onsite audits, OCR said. The desk audits will specifically focus on policies and procedures relating to security and privacy risk management, breach notification and notice of privacy.

The first phase of the audits were conducted as a pilot program in 2011 and 2012, and focused solely on healthcare providers. This round will cover providers, as well as their business associates and contractors.

“The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR's ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches,” OCR officials said in a fact sheet.

OCR anticipates the desk audits to be completed by the end of 2016, with the onsite audits beginning later in the year. In 2014, OCR officials said the audits will be “rapidly” conducted and likely result in enforcement actions. The second phase of the audits were originally expected to begin last year.

OCR reached nine settlements related to HIPAA breaches over the past year, resulting in a total of $11 million fines, according to Bloomberg BNA.