HIPAA Business Associate Audits May Be On The Way

Business Associates (“BA’s”) may be audited, in addition to covered entities, in 2012 audits by the Office for Civil Rights (“OCR”).  OCR has a three step audit program in progress. If the initial program “goes well” (whatever that means), then OCR will implement a full range of onsite audits and an evaluation process. BA’s come into contact with significant amounts of protected health information.  Because approximately 20% of HIPAA breaches involve BA’s, consideration is being given to including BA’s as audit targets.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Review of HIPAA Rules Completed

The review of proposed rules regarding changes to the HIPAA privacy and security rules has been completed.  The rules could be released as early as this week.

The OMB reports that it has concluded its regulatory review of the rules HHS sent in April.  

While the healthcare  industry has been waiting on rules from OCR in regard to the HITECH provisions effective February 17, it remains unclear which proposed rules will be released.

© 2010 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

What is the Difference Between Consent & Authorization Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule permits, but does not require, a covered entity to voluntarily obtain patient consent for uses and disclosures of protected health information (“PHI”) for treatment, payment, and health care operations. Covered entities that obtain patient consent have complete discretion to design a process that best suits their needs.

On the other hand, an authorization under the HIPAA Privacy Rule is a detailed document that gives covered entities permission to use PHI for specified purposes, which are usually other than treatment, payment, or health care operations, or to disclose PHI to a third party designated by the individual.  An authorization must specify a number of elements, including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some instances, the purpose for which the information may be used or disclosed.

The Privacy Rule requires authorization for uses and disclosures of PHI not otherwise allowed under HIPAA. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of PHI unless it also satisfies the requirements of a valid authorization.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com