Advertisement

May 25, 2013

HIPAA Audit Protocols Now Public; Plus, Preliminary Insights from OCR

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Dianne J. Bourque
Stephanie D. Willis
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Sunday, July 1, 2012
Administrative & Regulatory / Civil Rights / Health Law & Managed Care
All Federal
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

As promised by the Department of Health and Human Services’ Office of Civil Rights (OCR) and as reported here on June 11th, OCR has released its HIPAA privacy and security audit protocols.  The audit protocols are intended to cover the three main areas of HIPAA privacy and security enforcement:

  1. Privacy Rule requirements, specifically:
    • notice of privacy practices for Protected Health Information (PHI);
    • rights to request privacy protection for PHI;
    • access of individuals to PHI;
    • administrative requirements;
    • uses and disclosures of PHI;
    • amendment of PHI; and
    • accounting of disclosures.
  2. Security Rule requirements for administrative, physical, and technical safeguards.
  3. Breach Notification Rule requirements.

The protocol addresses 165 performance criteria, 77 of which focus exclusively on compliance with the Security Rule, and 88 in combination that deal with Breach Notification and Privacy Rule requirements.

Senior Advisor David Mayer of OCR, during his presentation at the 2012 American Health Lawyers Association Annual meeting in Chicago, Illinois, stated that the protocol presently on the website is actually an updated version of the protocol used to audit the first 20 covered entities who were selected for examination during the HITECH audit pilot program period.  He also stated that there are ninety-five more covered entities that will be audited to meet the OCR’s goal of auditing 115 entities and that OCR did not open any additional reviews related to the 20 audits it has completed so far.  Last, he noted that once the HIPAA Omnibus Rule is published, OCR will likely audit business associates thereafter.

Mr. Mayer also provided some of his preliminary observations gathered during the audit pilot program period.  An audible gasp rose from the crowd when he recounted a story where, when the KPMG auditors arrived to complete the audit of the covered entity, the covered entity’s representatives essentially said, “We have nothing; we are so glad to see you because we need your help.”  The audit was a wake-up call to the covered entity to prioritize HIPAA privacy and security compliance programs.

Mr. Mayer announced that OCR plans to continue its audit program in 2013 and 2014, and that the agency has been appropriated the money to do so.  All covered entities, particularly small providers (who historically have constituted a high proportion of HIPAA violations), should take the opportunity to use the audit protocols as a guide to draft or revamp their HIPAA compliance policies and procedures as well as to devise a plan of action to respond to audits in an organized and comprehensive manner.

Mr. Mayer noted to the audience that they’d be “surprised” at how many covered entities do not have HIPAA compliance policies and procedures in place.  But, all covered entities should take this comment to mean that it is not too late to put some in place rather than as a signal that there is still time to do so.

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

About the Author

Dianne J. Bourque
Of Counsel

Dianne is Of Counsel in the firm’s Health Law Section. She advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. A large part of Dianne’s practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process. She also counsels health care clients and other business entities...

DBourque@mintz.com
(617) 348-1614
www.mintz.com/people/50/Dianne_J_Bourque

About the Author

Stephanie D. Willis
Associate

Stephanie is an Associate in the Washington, D.C. office, practicing in the Health Law Section.

Prior to joining Mintz Levin, Stephanie was an associate counsel in the Department of Health and Human Services’ Office of Counsel to the Inspector General. There, her practice focused on health care enforcement matters involving the False Claims Act, the Social Security Act, the Physician Self-Referral Act, the anti-kickback statute, the EMTALA, and other administrative actions.

SDWillis@Mintz.com
(202) 434-7437
www.mintzlevin.com/people/677/Stephanie_D_Willis

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.