The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is conducting a survey to collect feedback from entities previously audited for HIPAA compliance. This follows the second phase of HIPAA audits between 2016 and 2017, which focused on evaluating adherence to the Privacy, Security, and Breach Notification Rules under HIPAA. The survey aims to gather insights on how these audits have influenced the audited organizations’ practices and their thoughts on the audit process. The feedback collectedly be extremely valuable in improving the audit process, particularly in understanding the utility of OCR’s guidance, the efficiency of the online documentation submission portal, and the overall impact of audit findings on improving compliance efforts.
The OCR is also interested in assessing the administrative burden that the audit process places on the audited entities, including how documentation requests and audit-related inquiries affect their day-to-day operations. This inquiry is part of the overall effort in improving audit programs, and hints at the preparation for more consistent auditing activities or the establishment of a permanent audit program. Despite facing budget constraints and a reduction in funds from enforcement actions, the OCR is exploring ways to fund future audits, including advocating for increased civil monetary penalties for HIPAA violations.
Feedback from the survey, which will include responses from Privacy and Security Officers at 166 covered entities and 41 business associates, will directly influence the improvement of the HIPAA Audit Program. The survey’s findings will help the OCR to make informed decisions on how to effectively conduct future audits with the aim of enhancing compliance with HIPAA rules among covered entities and business associates. This initiative by the OCR combats the challenges posed by funding shortages and the need for a more efficient use of resources.
The OCR’s initiative to gather feedback through the HIPAA Audit Review Survey reflects a practical approach to addressing compliance challenges and enhancing the effectiveness of future audits. By focusing on the experiences of audited entities, the OCR aims to identify areas for improvement in the audit process and better support HIPAA-covered entities and business associates in meeting compliance requirements. This effort is important for maintaining the integrity of patient health information and ensuring that entities are adequately prepared to protect this information in accordance with HIPAA regulations.
