News and Insights
Visit regularly for up-to-date information on relevant news, firm announcements and additions to our AZ Health Law Blog.
OCR Begins Auditing Practices for Compliance with HIPAA
The HITECH Act, which amended HIPAA, requires the Office for Civil Rights (“OCR”) to audit physician practices and other “covered entities” for compliance with HIPAA requirements. The OCR performed a pilot phase of 115 audits conducted between November 2011 and October 2012. The OCR will target all types of covered entities, including “small providers,” which include most physician practices.
The OCR’s audit assesses compliance against 77 security standards, or “protocols,” and 88 protocols relating to privacy and breach notification standards. In its initial 20 audits, the OCR found that 77% of the privacy audit issues, and 61% of the security audit issues, occurred in the small providers. The protocols emphasize extensive documentation, including written policies and risk assessments, compliance activities, training programs, and even documentation of decisions not to take certain compliance or security steps.
The OCR will review practices’ “processes, controls, and policies” to assess whether the practices are complying with the Privacy, Security, and the Breach Notification Rules. The audit mandate requires the OCR to review Privacy Rule requirements including (1) notice of privacy practices for “protected health information” (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. For the Security Rule, the OCR will review a practice’s administrative, physical, and technical safeguards. The OCR will assess a practice’s compliance with the Breach Notification Rule, including a practice’s assessment of the chances of experiencing a breach; what to do in the event of a breach; and the ongoing obligations in the event of a breach. Deficiencies found in audits of “business associates” of practices, which will be performed in a later audit waive, may lead to an audit of the practice.
The OCR’s discovery of a violation of HIPAA requirements may result in significant fines and potential exclusion from the Medicare program.