Healthcare organizations operating without a strong HIPAA compliance plan are playing a very risky game of Russian roulette. Now more than ever, the Office for Civil Rights (OCR) is serious about HIPAA enforcement, and expects full compliance with the requirements and implementation specifications of HIPAA Privacy, Security and Breach Notification Rules.
OCR is an organization within the U.S. Department of Health & Human Services that oversees the privacy and security of protected health information (PHI). OCR investigates HIPAA complaints and privacy and security breaches, conducts compliance reviews, and has recently announced a new 2016 audit program that targets Covered Entities and Business Associates.
To date, OCR has lived up to its mission, and as a result has imposed sizeable fines and arduous corrective action plans on Healthcare organizations when compliance is found to be lacking. A full listing of OCR fines and corrective action can be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements.
A few examples from the 1st Quarter of 2016 are listed below:
- A Provider group practice based in North Carolina was fined $750,000 for failing to execute a Business Associate agreement;
- A large New York healthcare system was fined $3.9 million for improper disclosure of PHI;
- A large Minnesota healthcare system was fined $1.5 million for failing to execute a Business Associate agreement, and a failure to conduct risk assessments.
Now consider OCR’s 2016 Audit initiative currently underway. Audit protocol encompasses 180 requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules. While the primary audit objective is to assess compliance of the HIPAA regulated industry, a secondary objective is to discover industry-common vulnerabilities that have remained undetected during routine OCR complaint investigations and compliance reviews. Based on the broad scope of potential audit topics and on OCR’s stanch audit objectives, indications point to substantial failure rates.
Hundreds of Covered Entities and Business Associates could be audited, and those audited targets will be randomly selected from a candidate pool that represents a wide demographic range of organizational sizes, types and geographic locations. An organization selected for audit will be expected to provide the requested audit information within 10 business days of Audit notice. In other words, if your organization is not already fully compliant with the audit topics selected, a 10 day notice will not make much of a difference in the outcome.
In today’s world of HIPAA and HITECH, Healthcare organizations need to embrace their legal and ethical obligation to protect patient privacy. A HIPAA complaint, compliance review, security breach, and now an OCR audit could literally be a day away. HIPAA requirements and implementation specifications can be extremely complex, so consider hiring a compliance partner that specializes in HIPAA Security, Privacy and Breach Rules. A good compliance partner will help you navigate the process, and design a customized approach based on your organization and tailored to meet your specific regulatory requirements and state statutes.
Want more information on the OCR audits? BlueOrange Compliance has created an OCR audit eBook that can be downloaded by clicking the below link:
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.