HIPAA News: The Good, the Bad, and the Ugly

by Davis Wright Tremaine LLP

[author: Adam H. Greene]

The past week has brought no less than three significant HIPAA announcements: the publication of the audit protocol that is being used in the Office for Civil Rights’ (“OCR”) current privacy and security audits; the first HIPAA financial settlement with a state agency; and a further delay of the final HIPAA “omnibus” rules. These various news items offer a tool for assessing compliance, an indicator that no covered entity may be immune from formal enforcement, and yet another bump on the road towards the next phase of HIPAA regulations.

A few takeaways from these developments:

  • Even a relatively small breach may lead to a large settlement if the subsequent investigation indicates widespread noncompliance.
  • The publication of the audit protocol suggests that robust documentation of compliance efforts is a key to passing a privacy and security audit, but leaves a lot of unanswered questions about the standards upon which entities are being assessed.
  • The final HIPAA omnibus rule remains out of OCR’s hands for the time being, and the extended delay raises the question of whether there are prolonged discussions with the Office of Management and Budget (“OMB”) that may significantly alter the final rule from what was proposed.

OCR publishes the audit protocol
On June 25, OCR published the audit protocol that is being used in the current round of privacy and security audits. The audit protocol includes 165 “key activities” (88 related to the Security Rule, 10 related to Breach Notification, and 78 related to the Privacy Rule). For example, a key activity under the Breach Notification Rule is “Timeliness of Notification.” A given key activity may have a number of associated audit procedures. With respect to sanctions under the Privacy Rule, for example, the associated audit procedures include:

Inquire of management as to whether sanctions are in place against members of the covered entity's workforce who fail to comply with the privacy policies and procedures. Obtain and review formal or informal policies and procedures to determine if sanctions are identified/described in the event members of the workforce do not comply with the entity's privacy practices. From a population of instances of individual/employee non-compliance within the audit period, obtain and review documentation to determine whether appropriate sanctions were applied. Obtain and review evidence that the policies and procedures are updated and conveyed to the workforce.

This audit protocol emphasizes documentation of HIPAA compliance efforts. Accordingly, covered entities and business associates that have robust policies but little documentation of implementation may want to consider beefing up evidence of their continued compliance.

The audit protocol represents a mixed bag. On the positive side, the audit protocol provides questions that auditors will be asking with respect to compliance with HIPAA’s privacy, security, and breach notification provisions. Covered entities and business associates can go through these questions themselves for purposes of conducting a gap analysis (although not all questions will be applicable to business associates). The result should be a significantly improved privacy and security program. In particular, this audit protocol, combined with the recently published National Institute of Standards and Technology (“NIST”) HIPAA Security Rule Toolkit and videos of training to state attorneys general, provides a wealth of information to covered entities.

The audit protocol, however, is a disappointment in other respects. It does not provide much detail as to the standards against which the audited entity is being judged. For example, with respect to the Privacy Rule’s requirement for administrative, technical, and physical safeguards, the audit procedures require the auditor to “[o]bserve and verify whether the safeguards in place are appropriate.” However, it remains unclear what safeguards are appropriate (e.g., does all physical protected health information need to be kept locked, or only that which would cause significant harm if viewed by an unauthorized person). The audit protocol also suggests new obligations that are not clearly stated in the regulations or prior guidance. For example, with respect to evaluations of security measures, the audit procedures require that the auditor:

Inquire of management whether evaluations are conducted by internal staff or external consultants. Obtain and review a sample of evaluations conducted within the audit period to determine whether they were conducted by internal staff or external consultants. For evaluations conducted by external consultants, determine if an agreement or contract exists and if it includes verification of consultants' credentials and experience. For evaluations conducted by internal staff, determine if the documentation covers elements from the specified performance criteria.

The above appears to exceed the requirements of the Security Rule, which does not require covered entities to verify the credentials of outside evaluators (which is not to suggest that doing so is not a good idea).

The audit protocol also appears to be missing some relevant sections of HIPAA. For example, it references the standard for "transmission security," but does not include the related implementation specifications. It is unclear whether this means that the auditors are not looking at such implementation specifications (integrity and encryption of transmissions), or whether they are merely absent from the published protocol.

Finally, the audit protocol raises some questions regarding interpretation of the regulations. For example, the Security Rule includes both standards and implementation specifications. The implementation specifications are listed as either “required” or “addressable,” but the standards are not labeled in the same manner. The audit protocol suggests that a standard, when it also has implementation specifications, is addressable rather than required. For example, the audit protocol treats implementing a security awareness and training program for all members of the workforce (a standard) as addressable, rather than required. This may come as a surprise to many, who may have interpreted that such standards were required.

OCR settles with Alaska Medicaid for $1.7 million
On June 26, OCR announced a resolution agreement and corrective action plan with Alaska’s Medicaid agency, the Alaska Department of Health and Social Services (“DHSS”). The precipitating event was the theft of a portable external hard drive from the vehicle of a DHSS employee. According to the breach data that DHSS submitted to OCR, the incident involved the records of 501 individuals, a relatively small amount compared to other breaches on OCR’s breach report website. Upon investigation, however, OCR allegedly found that DHSS had not completed a risk analysis in accordance with the Security Rule, had not implemented sufficient risk management measures, had not completed security training of its workforce, had not implemented device and media controls, and had not addressed device and media encryption. The resolution agreement involves the payment of $1.7 million and the corrective action plan lasts for three years and focuses on security surrounding devices containing electronic protected health information (e.g., procedures for tracking, safeguarding, encrypting, and appropriately disposing of or re-using such devices), responding to security incidents, applying sanctions to workforce members that violate the corrective action plan’s policies, training, and conducting risk analysis and risk management. DHSS also must obtain the services of an independent monitor, which may significantly add to the cost of the resolution.

After the last financial settlement (with a small physician practice), OCR is continuing to deliver its message that formal settlements may occur with respect to any size or type of covered entity. This case raises interesting issues such as, in this time of tight budgets, the propriety of a federal agency collecting settlement dollars from a state Medicaid agency (the resolution agreement alternatively could have only included a corrective action plan). It also raises the question of whether OCR will also pursue formal enforcement against federal entities, such as the Veterans Health Administration.

Additionally, of 10 OCR settlements/penalties to date, this is the fourth from Region 10 (of 10 regions), which primarily handles the Pacific Northwest (although it also handled the Phoenix Cardiac Surgery settlement). In comparison, four regions have not brought any formal enforcement cases.

The HIPAA omnibus rule is further delayed
Finally, on June 22, the OMB website indicated that OMB extended its review of the so-called HIPAA omnibus rules for an indeterminate period of time. The omnibus rule would finalize the proposed HITECH Act rule (July 2010), the interim final breach notification rule (August 2009), the interim final enforcement rule (October 2009), and the proposed modifications pursuant to the Genetic Information Nondiscrimination Act (October 2009). While OCR recently has been stating that the omnibus rule is not just close, but “very close,” its publication is out of OCR’s hands until it gets OMB clearance. Accordingly, covered entities and business associates remain in limbo, with certain obligations under the HITECH Act unclear, the date that HHS expects business associates to come into compliance with the Privacy and Security Rules unknown, and the continuing threat that all business associate contracts will need to be renegotiated in the foreseeable future.

Theories abound regarding this delay, ranging from political motivations, a lengthy OMB docket, or complexities in the final rule that require significant discussion (the latter is my guess). While the delay may be as innocuous as OMB being too short staffed to handle its docket, it alternatively could suggest that the rule’s OMB approval is being held up on some policy matters. The latter could indicate further changes from what was initially proposed in 2010.

While some were predicting publication in June 2012, speculation may now be focused on July or August (although later publication remains very much possible). In other words, no one knows when the final rule will come.

There is no word yet on finalization of the proposed accounting of disclosures modification, including the proposed access report requirement, which OCR has indicated is not part of the omnibus package.


Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.