Ensuring Compliance with the Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) requires physicians, healthcare providers, and all others that qualify as “covered entities”  or “business associates” to comply with regimented patient privacy and security standards. Failure to fully comply with the law can result in an investigation by the Office for Civil Rights, leading to fines, penalties, and potential damages. This means the best solution for a covered healthcare entity is proactively auditing HIPAA compliance. The following are some key topics that are important for HIPAA compliance.

Risk Assessments.  All covered entities and business associates must conduct periodic risk assessments to identify potential risks to protected health information from a variety of threats, including threats from the environment, such as long-term power loss, chemicals, or pollution. Other threats that must be included in the assessment are intentional and unintentional human data breaches, human error, and natural disasters, such as floods, tornadoes, and earthquakes. The risk assessment must include a variety of information and clearly delineate the risk and potential impact from specific threats. In conjunction with the identification of threats, the risk assessment must demonstrate and outline safeguards implemented to mitigate the potential risk from the identified threats.

Privacy and Security Standards.  An easily overlooked issue pertains to the different standards between the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule.  The HIPAA Privacy Rule requires a covered healthcare provider to have specific policies and procedures for health information disclosure and to distribute a Notice of Privacy Policy to patients.  These requirements are separate from the policies and procedures required by the HIPAA Security Rule.  Policies and procedures under the Security Rule relate to physical premises security, data encryption, and other electronic protection measures. The HIPAA Security Rule and the Privacy Rule require separate and distinct policies and procedures and should be evaluated individually.

On-Going Compliance. After HIPAA policies and procedures are adopted, on-going compliance requirements must not be overlooked.  For example, HIPAA compliance activities must be recorded, and records demonstrating implementation must be kept. Compliance with the Security Rule and the Privacy Rule must be periodically reviewed, with policies and procedures updated as circumstances warrant.

HIPAA has many pitfalls that a healthcare provider may fall victim to, even when that healthcare provider is attempting to comply with the law. This underscores the importance of taking proactive steps to audit HIPAA compliance and even seek outside counsel where appropriate to prevent unintentional miscues.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Federal HIPAA Audits Set to Resume in Early 2016

By Matthew J. Effken

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced its intent to move forward with new HIPAA compliance audits in early 2016. The so-called “Phase 2” audits were originally scheduled to commence in 2014, but have been repeatedly delayed.  The OCR reportedly sent preliminary pre-screening surveys to several hundred potential audit targets earlier this year, but there has been no apparent activity since that time.

The upcoming round of audits will include both covered entities and business associates.  There will be a combination of on-site visits and desk audits.  Before the audits can begin, however, the OCR still needs to revise its HIPAA audit protocol and update its information systems to support the audit program.

The OCR’s announcement came in the wake of a highly critical report from the HHS Office of Inspector General (OIG)  that highlighted various deficiencies in the OCR’s execution of its HIPAA oversight responsibilities.  Among the shortfalls noted in the report was the OCR’s failure to implement a permanent program of proactive HIPAA audits, as required by federal law. The OCR cited various obstacles, including limited resources, as having delayed the audit program.

The OIG report and the OCR response are available at the following link: http://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Potential Employer Requirements Due to Anthem, Inc. Data Breach

On February 4, 2015, Anthem Inc., one of the largest U.S. health insurers, notified the public that their data systems were breached. This breach potentially left customer names, social security numbers, and other personal information vulnerable. Subsequently, Anthem Inc. has already seen a customer lawsuit filed in California over the breach, with many more expected.

Health plan participants that have been affected will be notified in compliance with federal law. However, as this investigation continues, this may place additional burdens on employers. Depending upon the nature of the breach, of which further details are expected soon, employers may have to issue breach notifications under the Health Insurance Portability and Accountability (HIPAA). Until it becomes clear what information was taken, specific notification requirements are unclear. For example, a key question is whether protected health information was taken.

Depending upon the type of health plan an employer offers, it will have a varying impact upon the obligations for each company. The requirements will become clearer once further information is released. Beyond the federal HIPAA requirements, 47 states have unique breach notification laws that may impose obligations.

If you have questions pertaining how this may impact your requirements under the law, please contact Houghton Vandenack Williams for further information.

© 2015 Houghton Vandenack Williams

For more information, Contact Us

PVW Law Article: HIPAA Final Rule

We posted a new article on our website regarding the HIPAA Final Rule.

For more information, check out our videos on Business Associates and Business Associate Agreements, as well as HIPAA Compliance Audits:



Meaningful Use Stage 2 – Electronic Health Records and HIPAA

To satisfy the new Meaningful Use Stage 2 requirements, providers must furnish patients with electronic copies of their health information upon request.  Providers should ensure that their systems are able to timely meet these requests and to satisfy the requirements of the HIPAA Privacy Rule.  The Meaningful Use Stage 2 standard requires that more than 50 percent of patients who request electronic copies of their health information must be provided that information within three business days.

When providing electronic copies of health information, providers should keep in mind that electronic data may be furnished in any format.  For example, information could be provided via a patient portal, CD, USB drive, or the like.  Providers should update their HIPAA compliance plans to include provisions relating to electronic media accordingly.  As under the HIPAA Privacy Rule, providers may only charge a reasonable, cost-based fee for a copy of the information.  It is important to remember that providers may withhold certain types of information from a patient’s electronic copies of health information.  Since the types of health information that can be withheld from patients or third parties is subject to a higher confidentiality standard, providers also need to review their HIPAA compliance plans to ensure that appropriate protocols for electronic disclosure are in place.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com

HIPAA Audit Protocols Released

This year, 115 audits will take place under a new pilot program designed to ensure compliance with HIPAA.  Any entity subject to HIPAA is subject to audit, and the program will likely expand substantially in 2013.  As a result, all healthcare professionals need to be concerned about HIPAA audits.

Beginning in 2013, DHS will include business associates in their audit procedures.  This means that businesses engaged in service contracts with healthcare entities should evaluate their potential eligibility for audit.

DHS has recently released its HIPAA audit protocol (available here).  The audit protocol is highly comprehensive and addresses the full spectrum of HIPAA concerns. It includes modules to measure compliance with seven separate requirements under the Privacy Rule, as well as requirements for technical, physical, and administrative safeguards under the Security Rule.  The protocol also includes modules designed to measure compliance with the requirements of the Breach Notification Rule.  Healthcare organizations should regularly engage in “practice” audits to ensure that they comply with all of these requirements.  The release of these protocols will be a valuable tool in ensuring that practice audits are sufficiently rigorous and focused to provide meaningful results.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com