Health Information Technology for Economic and Clinical Health Act Archives

OCR Launches Phase 2 HIPAA Audit Program with Pre-Audit Screening Surveys

by Edward G. Zacharias, Daniel F. Gottlieb and Ryan S. Higgins | May 26, 2015 | Health and Welfare Plans, Privacy and Data Security

HIPAA covered entities have reported that the HHS Office for Civil Rights recently sent pre-audit screening surveys to a pool of covered entities that may be selected for the previously delayed second phase of HIPAA compliance audits. This On the Subject describes the phase two audit program and identifies steps that covered entities and business associates should take to prepare for these audits.

Read the full article.

OCR to Begin Phase 2 of HIPAA Audit Program

by Edward G. Zacharias and Daniel F. Gottlieb | Aug 26, 2014 | Health and Welfare Plans, Privacy and Data Security

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Unlike the pilot audits during 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit Program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive noncompliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The following sections summarize OCR’s Phase 1 Audit findings, describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for the Phase 2 Audits.

Read the full article.

HIPAA Omnibus Final Rule Compliance Date Is Less Than Two Months Away

by McDermott Will & Emery | Aug 6, 2013 | Health and Welfare Plans, Privacy and Data Security

by Daniel F. Gottlieb and Edward G. Zacharias

The compliance date for the omnibus final rule amending the privacy, security, breach notification and enforcement regulations under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act is less than two months away for health care providers, health plans, other covered entities and their business associates. The changes require covered entities and their business associates to conduct a security risk assessment; revise their existing privacy, security and breach notification policies and procedures; amend their business associate agreements; and retrain their workforce on the revised policies.

The final rule includes the following changes:

Business associates are directly liable for civil money penalties and criminal penalties for violations of the Privacy Rule and Security Rule.
The definition of business associate is expanded to include a subcontractor of a business associate so that subcontractors also are liable for violations of the privacy, security and breach notification standards.
The definition of a breach of unsecured protected health information (PHI) is revised to make it more difficult for a covered entity or business associate to avoid reporting an unauthorized use or disclosure of PHI to the affected individuals and the Office of Civil Rights.
A covered entity generally may not receive cash or other financial remuneration for marketing communications made for a third party’s products or services.
Certain restrictions on the use of compound authorizations in connection with research studies were changed in a way that will simplify secondary uses of PHI for research purposes.

New HIPAA Regulations Require Action by Group Health Plans

by McDermott Will & Emery | Mar 19, 2013 | Health and Welfare Plans, Privacy and Data Security

by Amy M. Gordon and Jamie A. Weyeneth

Final HIPAA privacy and security regulations issued by the U.S. Department of Health and Human services will require action by group health plan sponsors by September 2013.

To read the full article, click here.

New HIPAA Regulations Affect Business Associates and Subcontractors

by McDermott Will & Emery | Feb 14, 2013 | Privacy and Data Security

by Amy M. Gordon, Susan M. Nash and Jamie A. Weyeneth

The Health Insurance Portability and Accountability Act omnibus regulations recently released by the U.S. Department of Health and Human Services have significant ramifications for business associates and subcontractors of business associates.

To read the full article, click here.