On August 11, 2011, the HHS Office of Civil Rights, the agency responsible for enforcement of the HIPAA regulations, delivered its first annual report on HIPAA Compliance and Enforcement to Congress. OCR shed a little light on the subject of random compliance audits which were mandated by the HITECH act. OCR reported that it has completed a study which identified various audit models. Further, they have selected one of these audit model and has “begun to develop a pilot audit program and a process for evaluating” its effectiveness. They have contracted for the development of a database to enable the “meaningful and objective selection of covered entities to be audited by OCR based on a variety of potential factors, including the types, sizes, and geographic locations of covered entities.” In addition, they have contracted for the development of a compendium of compliance audit protocols for distinct types of covered entities and will use the protocols to conduct audits of up to 145 entities. The protocols will be a “comprehensive methodology, serving as a single source of audit criteria, assessment methods, and procedures for conducting HIPAA Privacy and Security Rule and HITECH Breach Notification Rule compliance audits.” They anticipate that these 145 audits will be complete by December 31, 2012.
If OCR’s database of covered entities catalogs, say, 500,000 entities, the chance of a compliance audit in 2012 would be about 3/100 of 1%. The report also revealed that in 2010 there were 243 complaints filed regarding HIPAA Security Violations and 8,524 complaints for HIPAA Privacy Violations. Also, in 2010 there were 210 reported security breaches involving 500 or more individuals. From these statistics, a covered entity’s most likely encounter with the Office of Civil Rights would come from a Privacy Rule complaint. In 2010, the top issues in investigated cases, with Corrective Action, were:
- Impermissible Uses & Disclosures
- Inadequate Safeguards
- Not Providing Patients Access to their Records
- Violations of the Minimum Necessary Provision
- Issues with the Notice of Privacy Practices
The full report can be viewed at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/compliancereport2011-2012.pdf.
