Healthcare News & Insights

What’s the OCR planning for hospitals in 2015?

Finally, some good news for hospitals worried about new HIPAA audits and enforcement from the Department of Health and Human Services. 

185775312Hospital leaders will be happy to know they still have time to address any lingering problems affecting their HIPAA compliance, reports Healthcare Info Security.

The Department of Health and Human Services’ Office for Civil Rights (OCR) is still developing several new rules and protocols for 2015 — including the protocol for the next round of HIPAA audits.

Indefinitely delay

The OCR uses the audits to identify best practices for addressing privacy and security risks, improve industry compliance and find which areas of the industry need further OCR outreach and assistance. At the beginning of 2014, the OCR had promised that Phase 2 of HIPAA audits would come some time in the fall, and would include providers’ business associates for the first time ever.

However, the OCR decided to delay the audits in September in order to develop and implement new technology, which would automate and streamline the process of collecting audit-related documents and data.

And recently, OCR Director Jocelyn Samuels revealed that the agency is still in the middle of developing Phase 2. She also declined to offer any new timeline for when providers could expect the audits to return.

Coming down the pipeline

Samuels also mentioned the OCR has other HIPAA-related enforcement activities planned for 2015. Particularly, the OCR will continue to look for “high impact” cases that can send strong messages to the rest of the industry about compliance.

“These types of cases can include the lack of comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members,” Samuels said.

The agency also is proposing a rule which would develop a methodology for breaking up monetary settlements and fines so that a percentage goes to any individuals affected by breaches. This rule may affect how much the OCR doles out in penalties and settlements for violations, especially since some experts have hypothesized that the price tag for HIPAA violations will continue to grow.

OCR’s silver lining

The good news is the OCR also plans to help providers in 2015 by releasing policy clarification and guidance on a variety of topics, such as cloud computing and storage. It will also give more insight into the “minimum necessary” rule, which states that protected health information should be used  or disclosed if necessary to perform a particular service.

With HIPAA audits being delayed indefinitely, hospital leaders should take advantage and use the time to prepare their facilities.

Consider building compliance teams that can research and address potential security risks in your facility’s operations. Additionally, you’ll as want to take some time to grill your business associates about their compliance efforts. If you find that one of your vendors hasn’t been regularly keeping track of compliance criteria, you may have time to find a business associate who does.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.