The protocol addresses 165 performance criteria, 77 of which
focus exclusively on compliance with the Security Rule, and 88 in
combination that deal with Breach Notification and Privacy Rule
Senior Advisor David Mayer of OCR, during his presentation at
the 2012 American Health Lawyers Association Annual
meeting in Chicago, Illinois, stated that the protocol
presently on the website is actually an updated version of the
protocol used to audit the first 20 covered entities who were
selected for examination during the HITECH audit pilot program period. He also
stated that there are ninety-five more covered entities that will
be audited to meet the OCR's goal of auditing 115 entities and
that OCR did not open any additional reviews related to the 20
audits it has completed so far. Last, he noted that once the
HIPAA Omnibus Rule is published, OCR will likely audit
business associates thereafter.
Mr. Mayer also provided some of his preliminary observations
gathered during the audit pilot program period. An
audible gasp rose from the crowd when he recounted a story where,
when the KPMG auditors arrived to complete the audit of the covered
entity, the covered entity's representatives essentially said,
"We have nothing; we are so glad to see you because we need
your help." The audit was a wake-up call to the
covered entity to prioritize HIPAA privacy and security compliance
Mr. Mayer announced that OCR plans to continue its audit program
in 2013 and 2014, and that the agency has been appropriated the
money to do so. All covered entities, particularly small
providers (who historically have constituted a high proportion of
HIPAA violations), should take the opportunity to use the audit
protocols as a guide to draft or revamp their HIPAA compliance
policies and procedures as well as to devise a plan of action to
respond to audits in an organized and comprehensive manner.
Mr. Mayer noted to the audience that they'd be
"surprised" at how many covered entities do not have
HIPAA compliance policies and procedures in place. But, all
covered entities should take this comment to mean that it is not
too late to put some in place rather than as a signal that there is
still time to do so.
If you have questions regarding HIPAA compliance or HIPAA audit
response plans, please contact a member of your Mintz Levin service
team or a Mintz Levin privacy attorney.
Whether you are an employer that provides health insurance for your employees, a business in the growing healthcare industry, a hospital, or other medical provider—or you provide services to any of those entities—you need to know about changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Marilyn Tavenner received bipartisan support from members of the Senate Committee on Finance in her confirmation hearing to lead the Centers for Medicare and Medicaid Services (CMS) though a full Senate vote is being held up, the president released his FY 2014 budget proposal with health care reform and specified reimbursement reductions to providers and manufacturers totaling $400 billion over 10 years sprinkled throughout it, and Department of Health and Human Services (HHS) Secretary Sebelius
The Office of Inspector General for the Department of Health and Human Services has recently issued an updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs.
On Tuesday, the North Carolina legislature has enacted into law, pending the governor's signature, a prohibition on the use of most favored nations clauses in contracts between commercial health insurers and providers.