New HIPAA Guidance, Audits, and Enforcement

At the Health Care Compliance Association (HCCA) Compliance Institute, Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement for HHS OCR, presented the “OCR Enforcement Update.” She addressed enforcement, current trends, and breach reporting statistics. Last year, OCR issued new guidance on the “Right to Access” provisions under HIPAA that included methods of delivery and appropriate charges for patient medical record requests. This year, OCR focused on privacy issues. Providers can expect to see more guidance from OCR in regards to social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. OCR is currently conducting the Phase 2 audits of HIPAA privacy, security, and breach notification for 166 covered entities and 43 business associates. These audits will likely result in increases in monetary penalties in the future. Phase 3 will follow the same general approach currently used, which includes review of control rules for privacy protection, breach notification, and security management.

Peters further stated that OCR continues to receive and resolve an increasing number of HIPAA violation complaints. OCR has received 150,507 complaints to date; with 24,879 resolved through corrective action measures or technical assistance. At this rate, OCR estimates to receive 17,000 complaints in 2017. She also noted that OCR continues to have enforcement issues for Covered Entities involving disclosures of patient information without prior patient authorization. OCR also identified issues with filming, publishing PHI on websites and on social media, providing patient information to reporters, and faxing PHI to an individual’s employer. Business Associate Agreement issues continue, particularly with those providing collection services that have access to PHI, independent medical transcriptionists for physicians, and subcontractors that provide remote backup services. Peters provided compliance advice for Covered Entities and reminded everyone that the OCR official guidance is available online to assist in this effort.

Catie Heindel, JD, CHC, CHPC, specializes in HIPAA compliance reviews and audits, and emphasizes the need for Compliance Officers to consider HIPAA as another high-risk area that requires ongoing monitoring and auditing. Program managers, as well as HIPAA Privacy and Security Officers, should do the following:

• Remain current with regulations and standards;
• Institute proper internal controls;
• Provide written guidance to all covered persons;
• Train all covered persons; and
• Monitor compliance with the written guidance.

Ongoing auditing involves conducting a review independent of program managers to verify appropriate monitoring is taking place; and validating that everything is functioning as intended.  The fact that many Compliance Officers have responsibility for HIPAA Privacy precludes them from the independent review and auditing function. The verification and validation audit is critical, for no matter how diligent program managers have been in implementing the program properly, gaps and weaknesses invariably exist. Often, controls have been implemented but not tested, or written guidance has been established but is rarely followed. Over time, individuals may forget or neglect to follow policies, or an organization may experience any number of other problems that make it vulnerable. It is therefore advisable to have an independent review conducted. The HIPAA Security Rule underscores the independent review because it requires conducting a risk assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards. It also helps reveal areas where an organization’s PHI may be at risk.

Have HIPAA Questions? Visit Our HIPAA Knowledge Center

If you have questions regarding HIPAA compliance, visit our HIPAA Knowledge Center for FAQ’s and informative publications. Ready to connect with a HIPAA expert? Contact us online, or call (703) 683-9600 to learn how we can help your organization identify risk areas and maintain compliance.