Earlier this year, the U.S. Department of Health and Human Services Office of Civil Rights ("OCR") announced its plan for a number of audits regarding compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). As a refresher, on January 17, 2013, the U.S. Department of Health and Human Services ("HHS") issued the Omnibus Final Rule (the "Rule") concerning the implementation of changes to privacy and security provisions of HIPAA pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act. The Rule strengthened the protection of patient health information ("PHI") under HIPAA. In accordance with the Rule, healthcare providers are required to have appropriate safeguards and measures in place to ensure patients' PHI is protected.

In September of this year, OCR Senior Advisor Linda Sanches discussed the upcoming audits. Ms. Sanches did not provide a specific timeline for when the audits will begin but did discuss certain areas providers should evaluate in preparing for the audits. Two areas that the OCR will likely focus on while conducting the audits are security risk assessments and breach notifications. With regard to breaches, Ms. Sanches indicated that OCR will look for a pattern of similar types of breaches which could indicate that the provider is not doing anything about the breaches or does not have proper procedures in place to prevent them. With regard to risk assessments, Ms. Sanchez indicated that one of the most important things a provider can do is conduct a periodic risk analysis. She explained that without one, a provider has no idea where they stand. It is crucial for providers to already have a risk assessment in place rather than waiting to develop one right before an audit.

To read more about this topic, please see full article below Download PDF