Official: HIPAA audits to bring penalties

Share this content:

In apparent acknowledgement that HIPAA violation enforcement has been less than aggressive so far, a government adviser said that HIPAA audits would soon produce swift results — and penalties, when appropriate.

Providers that are non-compliant under provisions of the Health Insurance Portability and Accountability Act are more likely to face consequences in the future, said Iliana L. Peters, a senior adviser at the Department of Health and Human Services Office for Civil Rights. Her comments came at a joint conference with the National Institute of Standards and Technology.

Auditors have gathered information about providers' HIPAA compliance for about two years under a pilot project. Internal OCR staffers, instead of contractors, will perform a new round of audits, and these likely will not include onsite visits, Peters said. 

Providers selected for audits will be notified and asked to supply lists of business associates. From those lists, OCR auditors will choose additional entities to audit. Because of the streamlined process, auditors will be able to work quicker, and groups being investigated will potentially have less direct contact with investigators.

Providers need to get their procedures and policies in order, officials cautioned. An agency spokeswoman told the Bureau of National Affairs that the next round of audits “will happen,” but a start date for the audits scheduled to begin this year had not been set.

Extensive investigations of HIPAA-related activities and resulting penalties have been infrequent, particularly among long-term care entities. But there have been significant settlements involving acute-care providers, to whom LTC operators are being increasingly linked through government payment and evaluation plans.

In May, for example, two New York City hospitals agreed to pay nearly $5 million to settle charges that a lack of “technical safeguards” exposed the information of about 6,800 patients.