Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings, what regulated entities can expect next and suggestions for covered entities concerned about being audited. Mintz Levin attended the conference and is pleased to share some of the highlights below:
The initial round of audits included 8 health plans, 10 providers, and 2 clearinghouses.
Providers had the most findings (81%). Provider findings were both privacy and security related.
The most common privacy findings included misuse of the PHI of deceased individuals, compliance with the patient confidential disclosures right, disclosures for judicial proceedings, compliance with the patient access right, failure to follow policies and procedures, no evidence of policy and procedure implementation, insufficient policies and procedures, failure to review and update policies on an ongoing basis, and failure of the organization to prioritize HIPAA compliance.
For more on the OCR HITECH audits, see our complete post at the Mintz Levin Health Law Policy Matters blog.