ARTICLE
21 October 2015

Federal Government Announces New HIPAA Privacy Audits For Companies That Handle Healthcare Data

FK
Frankfurt Kurnit Klein & Selz

Contributor

Frankfurt Kurnit provides high quality legal services to clients in many industries and disciplines worldwide. With leading practices in entertainment, advertising, IP, technology, litigation, corporate, estate planning, charitable organizations, professional responsibility and other areas — Frankfurt Kurnit helps clients face challenging legal issues and meet their goals with efficient solutions.
Here's some news for companies that have to comply with the privacy provisions of the Health Insurance Portability and Accountability Act ("HIPAA").
United States Privacy

Here's some news for companies that have to comply with the privacy provisions of the Health Insurance Portability and Accountability Act ("HIPAA"). The U.S. Department of Health and Human Services ("HHS") has announced plans to begin auditing compliance in early 2016.

The announcement of a new, permanent audit program follows criticism from the HHS Office of Inspector General ("OIG") in two reports examining HIPAA enforcement. OIG expressed the need for a permanent audit program, noting that "[w]ithout fully implementing such a program, OCR [the HHS Office of Civil Rights] cannot proactively identify covered entities that are noncompliant with the privacy standard." Currently, HHS relies primarily on complaints or tips, and voluntary disclosures of data breaches, as the bases for investigating alleged HIPAA violations. 

Covered entities under HIPAA include health care providers, insurers, clearinghouses - and their "business associates". HIPAA requires covered entities to adopt safeguards to protect the privacy and physical security of protected health information or "PHI" (defined broadly under HIPAA as individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral).

OCR indicated that it will target high-risk areas and entities which have consistently been non-compliant, and include both onsite visits and remote desk reviews. The audits will also include both covered entities and their business associates.

With the audits expected to begin in early 2016, covered entities and their business associates should consider reviewing and following the HIPAA Audit Program Protocol, which addresses privacy, security, and breach notification. HHS is in the process of updating the protocol, and you may keep up with new developments here.

As a first step, entities should conduct a security risk assessment, and then take the necessary steps to address any identified instances of noncompliance. 

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More