[authors: Stephanie D. Willis and Dianne Bourque]

This is an eventful week for the Department of Health and Human Services’ Office of Civil Rights (OCR), the agency that enforces the privacy and security standards under the Health Information Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  First, OCR is co-hosting the 5th annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference (HIPAA Security Conference) on June 6 & 7, 2012, with the National Institute of Standards and Technology (NIST).   Second, OCR has posted some useful documents on its website:  1) HIPAA training materials for State Attorneys General (SAG materials), and 2) a “Right to Access” memo for health care consumers.    

The materials published on the OCR website this week provide health care entities with insight into how the federal government is approaching HIPAA and HITECH Act education from the alternative perspectives of state enforcers and health care consumers.   The SAG materials include videos and computer training modules of the enforcement training sessions so their availability on the website makes them an invaluable resource for the general public and health care entities who want to know what state enforcement agencies have learned directly from OCR.  Equally as important, the Right to Access memo guides consumers to links and videos on their rights to access their health information records to empower them to be more involved in their health care and assert their access rights.  OCR has been aggressive recently about enforcing consumers’ right to access, including imposing a $4.3 million civil monetary penalty on Cignet Health in Feburary 2011. Of that large penalty, $1.3 million was levied specifically because OCR found that Cignet Health failed to provide 41 patients with access to their records in accordance with HIPAA requirements.  

The HIPAA Security Conference and OCR’s release of the aforementioned educational materials are only a preview of the flurry of activity that the health care industry should expect if and when the HIPAA Omnibus Rule is released.  As we previously posted, the rule was submitted to the Office of Management and Budget on March 24, 2012.  So, according to the 90-day review timeline generally permitted for review, the HIPAA Omnibus Rule could be released later this month.  Also, according to OCR’s comments at the HIPAA Security Conference on June 7th, OCR will be issuing more informational documents soon, including the protocols for audits mandated under HITECH.