HIPAA Audits: A Progress Report OCR's Deven McGraw Says Protocol Coming in April
HIPAA Audits: A Progress Report
Deven McGraw of HHS Office for Civil Rights

The Department of Health and Human Services' Office for Civil Rights is making progress toward launching the long awaited next round of HIPAA compliance audits, which will consist mostly of desk audits. In a critical step, it plans to release its proposed new audit protocol in April for public feedback, says Deven McGraw, OCR's deputy director of health information privacy.

OCR plans to conduct this year about 200 remote desk audits focusing on compliance with only a small subset of HIPAA requirements and 10 to 25 "full scale audits" that will involve onsite visits, McGraw says in an interview with Information Security Media Group during the HIMSS 2016 Conference in Las Vegas.

OCR is "on track" to issue a new audit protocol in April and will seek public comment before finalizing the protocol that will be used in the audits, she says. OCR will update a protocol that was developed for the pilot phase of the audit program, which was conducted in 2011 and 2012, to reflect changes included in the HIPAA Omnibus Rule.

"We are planning to revise the entire protocol even though for the desk audits we are only going to be auditing for selected provisions," McGraw says. Those narrow provisions will be announced "closer to the time when the audits will begin" later this year, she adds.

Who Will Be Audited?

OCR is now identifying a pool of covered entities and business associates from which it will select those to be audited, McGraw explains. That process includes, for example, verifying contact information. "We'll be asking covered entities to identify their business associates in order to create a larger pool of business associates from whom to select auditees," she adds.

OCR wants a "diverse pool" of covered entities and business associates to audit, McGraw says. "We want some variation in size, geographical location, what is it that they do, etc."

In the interview (see audio link below photo), McGraw also discusses:

  • A recently released "crosswalk" between the HIPAA Security Rule and the NIST Cybersecurity Framework to help healthcare entities and business associates map NIST standards to HIPAA requirements;
  • New guidance planned by OCR for 2016, including advice on cloud computing issues;
  • Breach investigations and other enforcement activities likely to come from OCR this year; and
  • OCR's rulemaking plans for this year, including resuming work on the long delayed accounting of disclosures final rule, and a notice of proposed rulemaking for sharing monetary penalties collected by OCR for HIPAA noncompliance with breach victims that have been "harmed."

Before joining OCR last June, McGraw was a partner at the law firm Manatt, Phelps & Phillips LLP, where she co-chaired its privacy and data security practice. Earlier, she was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. For six years, McGraw served as an adviser to HHS on health data privacy and security issues. She served on the Health IT Policy Committee, which advises HHS' Office of the National Coordinator for Health IT, and co-led the committee's Privacy and Security Workgroup - previously called the Privacy and Security Tiger Team - as well as its Information Exchange Workgroup.

Around the Network