May 24, 2012

Office for Civil Rights Senior Advisor Gives HIPAA Enforcement Update Presentation to Attorneys in Indianapolis

Barnes & Thornburg LLP - a national law firm of more than 550 professionals
Stacy L. Cook
Barnes & Thornburg LLP
Tuesday, August 30, 2011
Administrative & Regulatory / Communications, Media & Internet / Health Law & Managed Care
All Federal
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

On August 18, 2011, David A. Mayer, Acting Senior Advisor for Health Information Privacy, Compliance & Enforcement, U.S. Department of Health and Human Services, Office for Civil Rights, gave a presentation to attorneys at a conference sponsored by the Indianapolis Bar Association. Mr. Mayer focused his presentation on providing an update of the Office for Civil Rights’ (OCR) enforcement of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations. 

In discussing the breach notification requirements, Mr. Mayer stated that the deadline for notification must be made without unreasonable delay, but in no case shall notification be made later than sixty calendar days after discovery of the breach. Mr. Mayer emphasized that this does not mean a covered entity has sixty days to notify all individuals of a breach.  Instead, a covered entity must notify all individuals as soon as it confirms a breach has occurred. Mr. Mayer indicated that OCR has investigated instances where a covered entity confirms a breach and obtains all of the information necessary to notify the individuals within just a few days of discovering the breach, but then waits to send the notification until sixty calendar days after discovering the breach. According to Mr. Mayer, such delay in notification violates the regulation.

Mr. Mayer also stated that OCR is required to investigate all reports of breaches involving more than five hundred individuals. He explained that when a covered entity reports such a breach, the covered entity should be prepared to respond to OCR with the following information:

  • A determination of the root cause of the breach;
  • Identification of the gaps in complying with the Privacy and/or Security rules that led to the breach; and
  •  Evidence that the root cause has been addressed to ensure that further breaches do not occur.

Each OCR regional office has discretion whether to investigate breaches involving less than five hundred individuals. Mr. Mayer explained that each regional office monitors a list of such breaches, and a regional office will be more likely to investigate a covered entity if it appears to be involved in multiple breaches, particularly where the breaches are similar in nature. 

Finally, Mr. Mayer noted that OCR is still in the process of finalizing the following HIPAA rules:

  •  Breach notification interim final rule, issued August 24, 2009;
  •  Enforcement and compliance interim final rule, issued October 30, 2009;
  •  Privacy and security provisions proposed rule which makes business associates subject to HIPAA, issued July 14, 2010; and
  •  Accounting for disclosures from electronic records proposed rule, issued May 31, 2011.

Mr. Mayer explained that OCR does not yet know when the rules will be finalized, but said that he hopes the rules will be finalized by the end of this year. 

© 2012 BARNES & THORNBURG LLP

About the Author

Stacy L. Cook
Associate

Stacy L. Cook is an associate in the Healthcare Department in the firm’s Indianapolis, Indiana office. Ms. Cook concentrates her practice on regulatory and transactional issues, including fraud and abuse laws, billing and reimbursement, HIPAA compliance, and related litigation matters, involving a wide variety of healthcare providers, including physicians, pharmacists, wholesale drug distributors, pharmacies, psychologists, physical therapists, hospital medical staffs and long-term care facilities. She has extensive experience in representing healthcare providers before state...

stacy.cook@btlaw.com
317-231-7509
www.btlaw.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.