HIPAA Compliance Date: Sept. 23, 2013

more+
less-

Impending HIPAA Compliance Date

As discussed in prior HIPAA Alerts a final 563-page Omnibus HIPAA Rule was released by the Department of Health and Human Services Office of Civil Rights to strengthen HIPAA’s security and privacy protections. Although the final rule took effect on March 26, 2013, covered entities and business associates were given until September 23, 2013 to comply with the applicable requirements of the final rule. The compliance date is now just around the corner. With increased enforcement of HIPAA compliance by OCR and greater sensitivity by patients to their protected health information, HIPAA compliance has become of paramount importance.

Data gathered by OCR demonstrates the wide array of providers who have been investigated by OCR for HIPAA compliance. OCR’s data indicate that the types of covered entities that have been required to take corrective action include, in order of frequency: 

  • Private Practices
  • General Hospitals
  • Outpatient Facilities
  • Health Plans
  • Pharmacies

OCR’s data further show that the nature of HIPAA complaints commonly involve improper disclosures of protected health information (implicating the Privacy Rule) and lack of safeguards for protected health information (implicating the Security Rule). Compliance issues investigated most by OCR are, in order of frequency: 

  • Impermissible uses and disclosures of protected health information
  • Lack of safeguards of protected health information
  • Lack of patient access to their protected health information
  • Uses or disclosures of more than the minimum necessary protected health information
  • Lack of administrative safeguards of electronic protected health information

Recent cases demonstrate the vigor with which OCR is enforcing the HIPAA rules. In particular, on August 7, 2013, a covered entity agreed to pay $1,215,780 to the U.S. Department of Health and Human Services to settle potential HIPAA violations after OCR discovered that the protected health information of 344,579 individuals was impermissibly disclosed when the covered entity returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. This settlement is a warning to covered entities and business associates that all facets of an entity’s operation need to be reviewed when considering HIPAA compliance.