View more from News & Articles or Primerus Weekly

Iseman, Cunningham, Riester & Hyde LLP
Albany/Poughkeepsie, New York

The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) recently criticized the HHS Office of Civil Rights (OCR) for ineffective enforcement of HIPAA privacy standards and security breach reporting requirements.  In response, the OCR promised enhanced oversight and the launch of the second phase of its audit program in the year ahead.  Before 2015 came to a close, the OCR made good on this promise by announcing three major HIPAA settlements that exceed $5 million combined.  All three originated from breach reports filed with the OCR, and a key deficiency in all three was the failure to conduct an acceptable risk analysis.

The OCR’s audits in 2016 will measure compliance with HIPAA's privacy, security, and breach notification protocols by covered entities and business associates.  Audits will most likely focus on vulnerabilities in regards to securing protected health information (PHI) and consist of a combination of desk reviews of policies as well as onsite reviews.

The OCR’s audit protocol is organized around modules covering the following:

(i) Privacy Rule requirements for (1) notice of privacy practices, (2) rights to request privacy protection of PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendments to PHI, and (7) accounting of disclosures.

(ii) Security Rule requirements for administrative, physical, and technical safeguards.

(iii) Requirements for the Breach Notification Rule.

While the final audit protocol is still in development, a current protocol table is available and searchable online. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

In the first phase of audits, OCR found that 54 percent of those audited were noncompliant with some portion of the Privacy Rule.  In this initial round, the OCR was mostly concerned with hospital and individual providers.

Covered entities and business associates must be proactive and diligent.  Leadership is critical to an effective HIPAA compliance program.  There should be a review of policies, administrative procedures, technical security mechanisms, and physical safeguards pertaining to HIPAA compliance.  Some questions to address are:

  • Are our policies up to date?
  • Is training current on those policies?
  • Have risk assessments been conducted?
  • What do we have in place to regularly monitor and audit privacy programs and technology?
  • Have we had any breaches?
  • Do we have a response team?
  • Have we audited our current HIPAA documentation, corrective action and complaint logs?
  • Have we identified business associates and involved security officers and compliance staff?
  • What compliance tools do we need?

Failure to comply with HIPAA can be disruptive and costly resulting in regulatory action, fines, lawsuits and a damaged reputation.  Given the OCR’s expected increased enforcement activities, covered entities and business associates need to take action to minimize these risks.

Resources:

HIPAA Security Checklist

http://www.ihs.gov/hipaa/documents/IHS_HIPAA_Security_Checklist.pdf

For more information about Iseman, Cunningham, Riester & Hyde LLP, please visit the International Society of Primerus Law Firms.