Updates from the Office of Civil Rights (OCR)
Kelly McLendon recently attended the National HIPAA Summit in Washington, DC. While OCR has released no new privacy or security rules, the following updates are anticipated for 2015:
New OCR Audit Program to include Business Associates
HIPAA covered entities have reported that the HHS Office for Civil Rights (OCR) recently sent pre-audit screening surveys to approximately 800 covered entities. If you have received one of these surveys, you could very well be one of possibly 350-400 that may be selected for a second phase of audits of compliance with the HIPAA Privacy, Security and Breach Notification Standards, as required by the HITECH Act. OCR had originally planned to issue these screening surveys in the summer of 2014. Why they have not been released as of yet is unknown, but the reason is most likely related to building a web infrastructure to manage the audits within.
Though the first phase of audits conducted in 2011 and 2012 focused only on covered entities, this next phase is focusing on covered entities as well as business associates. The Phase 2 Audit program will focus on areas of greater risk to the security of PHI and on pervasive non-compliance based on OCR’s Phase I Audit findings and observations. It is unknown at this point how much of a comprehensive review of all of the HIPAA privacy, security and breach rules will also be addressed within this round of audits. OCR has stated that it intends for the Phase 2 audits to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. In circumstances where an audit reveals a serious non-compliance, OCR may undertake a compliance review of the audited organization that could lead to civil money penalties.
OCR Change in their Breach Reporting Format
The HSS Office for Civil Rights (OCR) recently launched an updated web portal for reporting breaches of unsecured protected health information (PHI) as required under the HIPAA breach rules. Among other changes, the updated version requires users to submit data that was previously optional. The updated version is live, and new requirements apply to 2014 breach notification reports that have not yet been submitted.
OCR Working on Patient Compensation Plan
Although no date was given, it was discussed at this year’s HIPAA Summit that OCR is working on rules mandated in the HITECH act that would allow patients submitting complaints about HIPAA violations to OCR that result in Civil Monetary Penalties (CMP) to receive a cut of the penalty monies. The entire healthcare industry remains watchful for this rule, as there is widespread belief that a rule of this nature could result in a large increase in HIPAA complaints from patients to OCR, which would up the ante on HIPAA compliance requirements.
OCR Final Rule - Accounting of Disclosures & Access Reports
On May 31, 2011, OCR issued a proposed rule granting a new right for individuals to obtain a listing of who has accessed the individual’s protected health information (PHI). OCR announced in late 2014 that instead of finalizing the proposed rule on accounting of disclosures and access reports, required by the HITECH Act, it would seek a second round of public comments on this proposed rule. Under HITECH this new rule was supposed to be in effect by Jan. 1, 2014. It now appears that OCR is once again working on finalizing the new rule sometime in 2015 or beyond. OCR does not publish timetables for release of such rules, but it is likely they are working on updates to this potentially very contentious rule.