The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR), which is the main enforcer of HIPAA data privacy and security laws, recently released its HIPAA privacy and security audit protocols. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. There are three main areas of HIPAA security and privacy that are covered:
• First, the audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for Protected Health Information (PHI), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
• Second, the audit protocol covers Security Rule requirements for administrative, physical, and technical safeguards
• Third, the audit protocol covers requirements for the Breach Notification Rule.
**A full list of 165 performance criteria can be found here.
During the 2012 annual meeting of the American Health Lawyers Association, Senior OCR Advisor David Mayer, while speaking about the new protocols, announced that the OCR plans to continue its audit program in 2013 and 2014 and has been allocated the funding to do so. He stated that all covered entities, particularly small providers who historically have constituted a high proportion of HIPAA violations, should take the opportunity to use the audit protocols as a guide to draft or revamp their HIPAA compliance policies and procedures as well as to devise a plan of action to respond to audits in an organized and comprehensive manner.
The attorneys at the law firm of Egan & Golden, LLP can assist you with any questions regarding HIPAA compliance or HIPAA audit response plans.
NOTABLE RECENT HIPAA SETTLEMENTS:
Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine and implement a corrective action plan under a Resolution Agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after a lengthy investigation into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. (Full story at here.)
The Alaska Department of Health and Social Services (DHSS) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. (Fully story at here)
Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today. BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. (Full story at here)