Covered entities, including employer sponsored health plans, should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) following OCR’s recent announcement of a large HIPAA settlement last month on the heels of its release of the preliminary results from Phase 2 of the HIPAA Audit Program.
Preliminary results from Phase 2 suggest that compliance with the HIPAA Privacy, Security and Breach Notification standards is largely “inadequate,” with over 94 percent of the covered entities failing to demonstrate appropriate risk management plans. The subsequent 21st Century Oncology, Inc. $2.3 million settlement announcement highlights the importance for covered entities and their business associates to comply with HIPAA’s organizational, risk assessment, privacy and security, and other requirements.
As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the 21st Century Oncology settlement, covered entities may wish to take note of the following themes:
While the particulars of each of OCR settlement varies, all send a very clear message that OCR expects covered entities to comply with HIPAA and is offering guidance to aid them in that process.