Proposed HIPAA Reporting Requirement May Lead to Increased Compliance Costs and Enforcement Action


On May 31, 2011, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) that would allow individuals to obtain an “access report” from HIPAA covered entities reporting virtually every instance of access to their electronic protected health information (ePHI), including all access by individual employees. The proposed access report must reflect the full name of every person or entity that accessed an individual’s ePHI (if maintained in a designated record set) in the prior three years. An express purpose of this proposal is to allow individuals to identify situations in which a member of a covered entity’s workforce inappropriately accessed their ePHI. Individuals can then file a complaint with the OCR claiming improper employee access to ePHI. In a recent case, the OCR entered into a $865,000 settlement with the University of California at Los Angeles Health Systems (UCLAHS) after investigating celebrity complaints of potential inappropriate ePHI access by UCLAHS employees. The investigation led to OCR allegations that UCLAHS employees repeatedly accessed ePHI of many patients, including several celebrity patients, when they did not have any job-related need to access the data, and that UCLAHS failed to implement security controls to reduce the risk of impermissible access, failed to provide Security Rule training, and failed to apply appropriate sanctions against workforce members who violated UCLAHS policies and procedures.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.