Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

Bakhtiar Zein ©

Patient Privacy Audits Underway . . . Are You HIPAA Compliant?

Health care data security breaches have become increasingly common in recent months. These breaches are largely a consequence of old and out of date privacy technology systems, as well as inconsistent monitoring. However, the U.S. Government aims to change that. On Monday, March 21, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the launch of a new round of audits to monitor compliance with patient privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA).

Speaking at the 24th National HIPAA Summit in Washington, DC, OCR Director Jocelyn Samuels addressed the launch, noting that the effort will be comprised of more than 200 desk and on-site audits of covered entities (health providers, plans, clearinghouses, etc.). Samuels also explained that OCR has developed an audit-specific portal to enable audited organizations to electronically submit requested documentation. As detailed on the website, “the 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

Director Samuels further explained, "This is a critical tool for us. We don't intend it to be a punitive mechanism. We do intend to use it to enable us to get out in front of the kinds of problems that have led to the breach reports that we have received." The agency will begin this week with address verification letters, followed by a questionnaire. Depending on the results of the questionnaire, OCR will commence audits based on a range of factors. As the OCR explains, “the audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”

How can a health care entity effectively guard against a data breach, and minimize the risk of an OCR audit? It begins with building and honing a culture of security and privacy, extending from a company’s executive leadership all the way down to support staff. Companies would be well advised to implement a proactive risk management plan in which risks are assessed periodically and potential intrusions are examined before they occur. This starts by providing employees with adequate skills and training and ensuring that sufficient resources are made available for security measures, including technology infrastructure (there are a number of companies marketing HIPAA compliant software). If you are concerned that your security protocols are out of date, and fear a HIPAA audit, it is imperative that you contact an attorney with expertise in issues related to patient privacy and data security. The time to act is now.

This article is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.