Deven McGraw, deputy director of the Department of Health and Human Services’ Office for Civil Rights has announced that the department’s plans for initiating onsite audits is currently on hold and will remain so until more than 200 desk audits have been completed. An article over on Data Breach Today gives us great detail on where HIPAA compliance audits stand with their enforcing agency.
McGraw informed the HIMSS17 conference in February of the delay.
We have decided that it makes a lot more sense to [first] take a look at all we had in the desk audit process and even prepare the overarching report to the public about how those desk audits went.”
With the addition of Tom Price, Health and Human Services’ new secretary, it is unclear what the timeline for onsite audits looks like, however McGraw gives some good information about the current state of desk audits in her interview.
We’re interested in talking to him about the audit program and getting his input into how it’s going to be conducted, but we’re very far along with the desk audits and we’re eager to finish those up. In terms of the delay, it’s really about not taking on more than we can chew, frankly. It’s an enormous, resource-intensive effort, even with contractor help … and we want to make sure we do it right.”
McGraw has expressed that the OCR is hopeful that they will begin onsite audits by the end of the year, but notes that these audits may not fall into place until 2018.
Desk Audit Information
According to McGraw, the OCR has performed remote desk audits on 166 covered entities with an additional 44 audits on business associates, which are ongoing. McGraw explained that reports for the covered entities were expected to be finalized by the OCR and shared with the organization within the last few weeks, with drafts on business associate reports to follow.
Additional items discussed in McGraw’s interview:
New guidance in the works at OCR, including an “anatomy of a case” that gives an overview on the breach investigation process as well as the results, such as calculating settlement amounts or civil monetary penalties;
OCR’s plans to continue its aggressive HIPAA enforcement activities in 2017 at the same brisk pace as last year, and lessons to be learned from those cases;
How President Trump’s recent executive order that calls for eliminating two existing regulations for every new regulation issued could affect HHS;
OCR’s work with the Food and Drug Administration related to the cybersecurity of medical devices;
Her new role as interim chief privacy officer at OCR’s sister agency, the Office of the National Coordinator for Health IT. ”
McGraw’s background includes co-chairing a privacy and data security practice as a partner in the law firm Manatt, Phelps & Phillips LLP. She also served as the Center for Democracy and Technology’s director of their health privacy project. Additionally, McGraw served for six years as an advisor on health data privacy and security issues to the department of Health and Human Services.