HIPAA Compliance Audits Remain on Hold

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govinfosecurity.com/hipaa-compliance-audits-remain-on-hold-a-8108

After a three-year delay, federal regulators remain tight-lipped about when
the next round of HIPAA compliance audits will begin. But a variety of new
HIPAA-related guidance is in the works, a government official says.

During an April 15 session at the HIMSS 2015 Conference in Chicago, a
regional official from the Department of Health and Human Services' Office
for Civil Rights told attendees the next phase of the random HIPAA audit
program "is under development." Attorney Alessandra Swanson, an OCR team
leader from the agency's Chicago office, declined to say whether there's a
potential timeline for when OCR expects to kick off the next round of HIPAA
audits, or what the program might look like.

OCR, which enforces HIPAA, had hoped to kick off phase two of its
compliance audit program last fall, but officials last September revealed
the program was being delayed. The culprit blamed at the time: technology
that the agency said was still being rolled out at the agency that will
allow OCR to collect audit-related documentation from covered entities and
business associate via a Web portal (see HIPAA Compliance: What's Next?).

OCR also had a change in leadership last year. In July,Jocelyn Samuels was
named the office's new director. Samuels, who was formerly acting assistant
attorney general for the Civil Rights Division at the U.S. Department of
Justice, replaced Leon Rodriguez, who was named director of U.S.
Citizenship and Immigration Services, a unit of the Department of Homeland
Security.

Privacy attorney Adam Greene, a partner at the law firm Davis Wright
Tremaine, told Information Security Media Group in an interview at the
HIMSS Conference that he believes the delay in various OCR enforcement
activities, including the audit rollout, could be related to tight OCR
resources, as well as the new leadership settling in.

But OCR appears to be staffing up for the audit program. In an announcement
posted last week by HHS, the agency said it had open a "compliance
specialist - auditing" position available within its Washington
headquarters.

"This position serves as the senior auditing subject matter expert who
provides leadership, oversight, coordination and advice necessary to
design, plan and execute an audit program of covered entity and business
associate compliance with the HIPAA privacy, security and breach
notification rules," the job posting said.

OCR officials in recent months have said the agency also is working on
updating its audit protocol for covered entities and creating a new audit
protocol for business associates. BAs became directly liable for compliance
under the HIPAA Omnibus Rule last year and are subject to OCR enforcement
actions, including financial penalties that range up to $1.5 million per
HIPAA violation.

Other Activities

In addition to preparing for resuming the random HIPAA compliance audit
program, OCR is working on new guidance, including material relating to
business associates; the breach notification rule as well as a breach
assessment tool; the use of protected health information for marketing; the
"minimum necessary" standard for data; and HIPAA Security Rule compliance
updates, Swanson says.

In addition, OCR is continuing breach investigations and rule-making.

"Our goal is, and has always been to get entities into compliance," Swanson
says. "I know that our enforcement cases get a lot of attention, but when
you look at the number of enforcement cases versus those that are resolved
with technical assistance and corrective actions, you'll see that we always
try to go the compliance route first. "We're interested in getting everyone
into compliance; we're not out there trolling for enforcement cases."

OCR is anticipating receiving 15,000 to 17,000 HIPAA complaints in 2015,
she says. All health data breaches affecting more than 500 individuals are
investigated by the agency, she says. Although there have been no
enforcement actions involving monetary settlements with business
associates, Swanson says the agency is current investigating a number of
breaches involving BAs.

Greene, a former OCR official, says he expects the first HIPAA settlements
between OCR and business associates to come later this year or in 2016.

Pending Rules

Among the rule-making activities that OCR has under way is an update to a
proposal for an accounting of disclosures rule, which was mandated under
the HITECH Act. OCR in May 2011 issued a notice of proposed rule-making for
updating accounting of disclosures requirements under HIPAA. The proposal
generated hundreds of complaints from healthcare providers and others. Many
of the complaints were aimed at a controversial new "access report"
provision (seeEHR Access Report Objections Pour In).

Federal advisers have suggested that OCR and its sister HHS agency, the
Office of the National Coordinator for Health IT, launch pilots to test
technical capabilities supporting accounting of disclosures involving PHI
from electronic health record systems before a final rule is issued.

OCR is also creating a way to share with victims a portion of the financial
penalties it collects from HIPAA settlements, Swanson says. Also, a final
rule from OCR for the National Instant Criminal Background Check System is
being reviewed by the Office of Management and Budget.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!