Nov. 22 — The second phase of random audits under the HIPAA audit program will likely begin targeting business associates right after the Thanksgiving holiday, and the program won’t be affected by the change in White House administration, a top HHS health privacy official said.
“We will start the business associate desk audits any day now,” Deven McGraw said at a research ethics conference Nov. 15.
Since auditees have 10 business days to send in necessary documentation, she said, the Department of Health and Human Services didn’t want that audit notification to fall around the Thanksgiving holiday on Nov. 24. “It’s already bad enough that we’re doing this to you—far worse over a holiday. But we also need to get it done before the other holidays that come in December.”
The phase II audits are the latest round in a compliance auditing program to evaluate how well hundreds of hospitals and other entities covered under the under the Health Insurance Portability and Accountability Act of 1996 and their business associates comply with the HIPAA privacy, security and breach notification rules for health information. McGraw is the deputy director of health information privacy at the HHS Office for Civil Rights, which administers the HIPAA rules. These audits will serve as a learning experience for OCR to develop a permanent audit program, she said.
McGraw said she does not anticipate President-elect Donald Trump’s upcoming leadership reshuffle at the HHS to affect the program. In the past, McGraw said, “our office has taken a little bit of time to get new leadership in place,” and she anticipates OCR will be under the leadership of an acting director for some time after Jan. 20. On-site audits are expected to begin in early 2017.
“I am a career employee, and I will still be here, and we will still be moving the audit program in the way that we intended and have put out to others,” she said.
The audit program implements a requirement through the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.
McGraw made her remarks on a panel about the phase II audits during Public Responsibility in Medicine & Research’s advancing ethical research conference in Anaheim, Calif. The HIPAA privacy rule allows researchers to create, obtain, use and disclose individually identifiable health information in research. But, researchers must be aware of the different legal standards including HIPAA and any other applicable rules, such as the human subject protection regulations of the HHS and the Food and Drug Administration, as well as state laws and institutional policies and contracts.