The first series of desk audits will focus on covered entities, and the second will look at business associates. The OCR expects desk audits to be completed by December 2016. A third series of audits will involve on-site visits, which the OCR says will “examine a broader scope of requirements from the HIPAA rules than desk audits.” An entity may be selected for a desk and an on-site audit.
The Penalties
The OCR is considering size and type of covered entity, geography, affiliations and whether an entity is public or private for audit selection criteria. The agency can assess criminal or civil penalties for violations. Civil penalties fit four tiers that range from accidental noncompliance to purposeful violation without correction. Penalties include fees up to $1.5 million annually and/or jail time for up to 10 years.
“It’s getting continually harder for small physician groups to fully comply with HIPAA when even large institutions often are not doing so,” says Ms. Yaffe.
Kelly April Tyrrell writes about health, science and health policy. She lives in Madison, Wis.
Reference
- Murrin S. OCR should strengthen its oversight of covered entities’ compliance with the HIPAA Privacy Standards. Department of Health and Human Services Office of the Inspector General. 2016 Jul. https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf.
