The protocol addresses 165 performance criteria, 77 of which
focus exclusively on compliance with the Security Rule, and 88 in
combination that deal with Breach Notification and Privacy Rule
Senior Advisor David Mayer of OCR, during his presentation at
the 2012 American Health Lawyers Association Annual
meeting in Chicago, Illinois, stated that the protocol
presently on the website is actually an updated version of the
protocol used to audit the first 20 covered entities who were
selected for examination during the HITECH audit pilot program period. He also stated that
there are ninety-five more covered entities that will be audited to
meet the OCR's goal of auditing 115 entities and that OCR did
not open any additional reviews related to the 20 audits it has
completed so far. Last, he noted that once the
HIPAA Omnibus Rule is published, OCR will likely audit business
Mr. Mayer also provided some of his preliminary observations
gathered during the audit pilot program period. An audible gasp
rose from the crowd when he recounted a story where, when the KPMG
auditors arrived to complete the audit of the covered entity, the
covered entity's representatives essentially said, "We
have nothing; we are so glad to see you because we need your
help." The audit was a wake-up call to the covered entity to
prioritize HIPAA privacy and security compliance programs.
Mr. Mayer announced that OCR plans to continue its audit program
in 2013 and 2014, and that the agency has been appropriated the
money to do so. All covered entities, particularly small providers
(who historically have constituted a high proportion of HIPAA
violations), should take the opportunity to use the audit protocols
as a guide to draft or revamp their HIPAA compliance policies and
procedures as well as to devise a plan of action to respond to
audits in an organized and comprehensive manner.
Mr. Mayer noted to the audience that they'd be
"surprised" at how many covered entities do not have
HIPAA compliance policies and procedures in place. But, all covered
entities should take this comment to mean that it is not too late
to put some in place rather than as a signal that there is still
time to do so.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Centers for Medicare & Medicaid Services (CMS) recently announced revisions to its State Operations Manual that change the complaint survey investigation process and typical timeline for resolution.
On April 5, 2013, the Internal Revenue Service officially issued proposed regulations addressing the requirement under Section 501(r)(3) of the Internal Revenue Code that tax-exempt hospitals conduct community health needs assessments.
The U.S. Supreme Court heard oral arguments last month in the matter of Association for Molecular Pathology v. Myriad Genetics, a curious case that does not bode well for America’s biotechnology industry and could overturn 30 years of U.S. patent policy.
Earlier this month, the Lobbying and Advocacy Group’s Medicare Reimbursement and Health Policy Director, Anna Schwamlein Howard, partnered with Drinker Biddle attorneys Jeremy Shapiro-Barr and Douglas Swill on a client alert.