Policyholders Face Heightened Scrutiny Under OCR’s New Permanent Audit Program

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has notably increased enforcement of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health (“HITECH”) privacy and data security rules regarding patients’ protected health information (“PHI”).

In addition to relying on self-reported breaches of patient data, the OCR is forming a “permanent audit program” that will monitor compliance with patient privacy rules by both medical service providers as well as by associated entities, such as billing companies.  The OCR plans to audit hundreds of covered entities regarding PHI data security and computer network practices. Selected entities will receive notification and data requests this year.  The OCR plans to include  business associates in the scope of its audit program by 2015.

The OCR audits are particularly designed to enhance compliance with data security standards for PHI kept on mobile devices.  Typically, under HIPPA and HITECH, entities must self-report to the OCR breaches of patient data involving more than 500 individuals within 60 days of an event.

As the use of mobile devices like laptop computers, smart phones and tablets to store and access PHI continues to increase, several recent enforcement actions illustrate the risk posed to policyholders.

Most recently, the OCR obtained an approximately $1.7 million settlement with Humana subsidiary Concentra Health Services related to the theft of two unencrypted laptops containing PHI data about approximately 1,770 patients.  The OCR investigation also revealed several other breaches involving fewer than 500 individuals. $1.7 million for two laptops.

Similarly, the OCR recently agreed to a $250,000 monetary settlement with ACA Health Plan, Inc. of Arkansas related to an unencrypted laptop containing electronic PHI data of 148 individuals that was stolen from an ACA representative’s car.

These and other similar settlements indicate that the OCR is taking a more proactive approach to investigating and deterring potential breaches of the HIPPA and HITECH privacy and security rules.  Policyholders must take diligent steps to ensure that PHI—particularly on mobile devices—is properly encrypted and protected from disclosure.

Finally, we note that the scope of OCR’s authority is expansive and its enforcement efforts are still young. How the OCR defines “business associates” for purposes of enforcement will, in part, determine the limit of its scope.  It is presumed that the OCR will include medical billing services and laboratory testing facilities within the scope of its enforcement efforts.  Will it also include medical malpractice law firms and information technology service providers? What about janitorial services and cloud-storage providers?

keys

- See more at: http://www.traublieberman.com/cyber-law/2014/0522/4582/#sthash.LAgkLbPB.dpuf

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has notably increased enforcement of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health (“HITECH”) privacy and data security rules regarding patients’ protected health information (“PHI”).

In addition to relying on self-reported breaches of patient data, the OCR is forming a “permanent audit program” that will monitor compliance with patient privacy rules by both medical service providers as well as by associated entities, such as billing companies.  The OCR plans to audit hundreds of covered entities regarding PHI data security and computer network practices. Selected entities will receive notification and data requests this year.  The OCR plans to include  business associates in the scope of its audit program by 2015.

The OCR audits are particularly designed to enhance compliance with data security standards for PHI kept on mobile devices.  Typically, under HIPPA and HITECH, entities must self-report to the OCR breaches of patient data involving more than 500 individuals within 60 days of an event.

As the use of mobile devices like laptop computers, smart phones and tablets to store and access PHI continues to increase, several recent enforcement actions illustrate the risk posed to policyholders.

Most recently, the OCR obtained an approximately $1.7 million settlement with Humana subsidiary Concentra Health Services related to the theft of two unencrypted laptops containing PHI data about approximately 1,770 patients.  The OCR investigation also revealed several other breaches involving fewer than 500 individuals. $1.7 million for two laptops.

Similarly, the OCR recently agreed to a $250,000 monetary settlement with ACA Health Plan, Inc. of Arkansas related to an unencrypted laptop containing electronic PHI data of 148 individuals that was stolen from an ACA representative’s car.

These and other similar settlements indicate that the OCR is taking a more proactive approach to investigating and deterring potential breaches of the HIPPA and HITECH privacy and security rules.  Policyholders must take diligent steps to ensure that PHI—particularly on mobile devices—is properly encrypted and protected from disclosure.

Finally, we note that the scope of OCR’s authority is expansive and its enforcement efforts are still young. How the OCR defines “business associates” for purposes of enforcement will, in part, determine the limit of its scope.  It is presumed that the OCR will include medical billing services and laboratory testing facilities within the scope of its enforcement efforts.  Will it also include medical malpractice law firms and information technology service providers? What about janitorial services and cloud-storage providers?

keys

 

 

Topics:  Audits, Compliance, Covered Entities, Data Protection, HHS, HIPAA, Hospitals, Humana, OCR, Patient Privacy Rights, PHI

Published In: Health Updates, Insurance Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Traub Lieberman Straus & Shrewsberry LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »