Forced to respond to a stinging audit report recently released by the U.S. Department of Health and Human Services' (HHS) Office of Inspector General (OIG) that found less than effective enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy standards,1 HHS' Office for Civil Rights (OCR) will commence its long-awaited HIPAA audits in early 2016. Ever since OCR completed its pilot audits in 2014, it has been widely expected that OCR would follow up with implementation of a permanent audit program, which never happened despite announcements and audit preparations by OCR to launch the second phase of its audit program.
In its report examining OCR's oversight of covered entities' compliance with the HIPAA Privacy Rule,2 OIG determined that OCR's oversight has been primarily reactive - responding to complaints in the overwhelming number of its investigations rather than fully implementing an audit program to proactively identify and assess covered entities' possible noncompliance with the privacy standards. Although the Health Information Technology for Economic and Clinical Health Act requirement for audits has been effective since early 2010, OCR has not fully implemented an audit program for covered entities. The concern is that covered entities (such as doctors, pharmacies, and health insurance companies) that do not adequately safeguard protected health information (PHI) (such as medical condition, prescriptions, or treatment history) could expose patients to an invasion of privacy, identity theft, or other harm. OIG's primary corrective action recommendation was that OCR immediately fully implement a permanent audit program. With its feet to the fire, OCR has accepted this finding and undertaken to launch audits in early 2016.
With the initiation of OCR's audit program fast approaching, potential targets must maintain readiness for audit examination because HIPAA noncompliance can be costly and disruptive to an organization. The most common deficiency found by OCR in its pilot audits was an organization's failure to conduct a security risk assessment to identify and mitigate risks to PHI (e.g., PHI on exposed servers, laptops unencrypted, default passwords not changed, security software not up-to-date, and inadequate training). As hard as it is to believe, many HIPAA entities still have not implemented this "lesson learned." As recently as a few weeks ago, OCR announced a $750,000 settlement with Indiana-based Cancer Care Group, P.C., because it had failed to conduct an enterprise-wide risk analysis and implement follow-on device and media control policies to protect the transportation of unencrypted PHI. OCR contends that a risk assessment could have identified the control weakness.3
For more information about the OIG privacy enforcement report or the HIPAA audit protocol, please contact one of the individuals listed in the side bar. To assist healthcare entities' readiness for a HIPAA audit, Day Pitney LLP has developed several tools to facilitate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Information on Day Pitney's compliance tools is available on request.
 U.S. Department of Health and Human Services, Office of Inspector General, "OCR Should Strengthen Its Oversight Of Covered Entities' Compliance With The HIPAA Privacy Standards," September 2015, OEI-09-10-00510.
 The HIPAA Privacy Rule provides standards for using, sharing, and disclosing patients' protected health information.
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Theresa Kelly and Howard Fetner wrote an article, "AARP Lawsuit Puts EEOC In An Awkward Position," for Law360.
Jed Davis authored the article, "Cybersecurity for the Under-Resourced" for Bloomberg BNA.
On November 2, Susan Huntington and Eric Fader will be speaking at a webinar jointly sponsored by Day Pitney and Wolf & Co. "Business Associates Are Under a Microscope - Are You Prepared?"
On August 30, Susan Huntington was a speaker in the webcast "Medical Devices in Hospital Networks: Mitigating Risk in 2016" hosted by the Knowledge Group.
Eric Fader was quoted in an article, "Trump may maintain support for health IT, cut funds for HIPAA audits," in McKnight's Long Term Care News.
Eric Fader was quoted in an article, "Incoming Trump Administration May Mean Less Funding for HIPAA Audits," in Bloomberg BNA’s Health Care Fraud Report.
Eric Fader was quoted in an article, "Prior Defects Could Sink Auvi-Q Even As EpiPen Prices Soar," in Law360. In the article, Fader points out that with lawmakers and consumers calling for a competitor to challenge Mylan NV in the aftermath of the drugmaker's EpiPen price increases, potential competitor Kaléo Pharma has a "golden opportunity" with its updated version of the Auvi-Q epinephrine injector.
Eric Fader was quoted in an article, "Omnicare to Pay $28M to Settle Kickback Allegations," in Bloomberg BNA's Pharmaceutical Law & Industry Report. The article discusses the $28 million settlement that Omnicare reached with the U.S. Department of Justice to resolve claims that it accepted kickbacks from Abbott Laboratories to induce Omnicare to order one of Abbott's drugs.
Eric Fader was quoted in an article, "Medicare Still Making Improper Payments on Behalf of Prisoners," in Bloomberg BNA's Health Care Daily Report. In the article, Fader discusses a government report that says that Medicare made about $34 million in improper payments to providers on behalf of prisoners in 2013 and 2014.