OCR Notifies 167 Covered Entities That They're Being HIPAA-Compliant Audited

The Office for Civil Rights (OCR), in charge of enforcing the privacy, security, breach and other HIPAA rules, said yesterday it has notified 167 covered entities that they must submit all papers necessary for a remote "desk audit" within 10 days. "Letters were delivered on Monday, July 11, 2016, via email to 167 health plans, healthcare providers and healthcare clearinghouses," OCR confirmed. The 167 were chosen from a much larger field of candidates, who were informed of potential audits this past spring. The emails sent Monday contained not only the document request but also a dedicated link to a submission portal. A second email requested lists of the covered entities' business associations, as well as an invitation to a webinar explaining the whole process, OCR explained. This round of audits follows a pilot HIPAA audit program conducted on site in 2010-2011 of 115 covered entities. Since then, the HIPAA Omnibus Final Rule of 2013 has extended compliance requirements to business associates as well as covered entities.