Lessons Learned from Recent OCR HIPAA Audits

Covered entities, including employer sponsored health plans, should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) following OCR’s recent announcement of a large HIPAA settlement last month on the heels of its release of the preliminary results from Phase 2 of the HIPAA Audit Program.

Preliminary results from Phase 2 suggest that compliance with the HIPAA Privacy, Security and Breach Notification standards is largely “inadequate,” with over 94 percent of the covered entities failing to demonstrate appropriate risk management plans. The subsequent 21st Century Oncology, Inc. $2.3 million settlement announcement highlights the importance for covered entities and their business associates to comply with HIPAA’s organizational, risk assessment, privacy and security, and other requirements.

As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the 21st Century Oncology settlement, covered entities may wish to take note of the following themes:

  1. Implement a Risk Management Plan and Conduct Risk Assessments on a Regular Basis. Failure to implement a risk management plan and conduct regular risk assessments was one of the biggest HIPAA compliance points of failure in the OCR pilot audit program. Such programs are important to determine risk levels and assess the susceptibility of the covered entity to data breaches of electronically stored PHI.
  2. Review Business Associate Agreements (“BAA”). Although there was an increase in awareness of the requirement that covered entities enter into BAAs with their subcontractors since the passage of the HIPAA Omnibus Rule in 2013, covered entities continue to fail to lay out PHI protective measures in the BAA. In order to survive an audit, the covered entity must be able to produce copies of all of its BAAs.
  3. Train Employees. Lack of workforce training can lead to data breaches and other HIPAA compliance issues. A proper HIPAA training program for newly hired employees as well as annual training is ideal, and should be company and industry specific. Covered entities conducting such training should be sure to maintain copies of the training materials, and document attendance.
  4. Report Breaches in a Timely Manner. Covered entities should maintain clear policies and procedures to ensure that breaches are reported in a timely manner within HIPAA’s notification timeframes.

While the particulars of each of OCR settlement varies, all send a very clear message that OCR expects covered entities to comply with HIPAA and is offering guidance to aid them in that process.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.