HEALTH INFORMATION TECHNOLOGY & PRIVACY

HHS Announces New Round of HIPAA Audits

On February 24, 2014, HHS announced a plan to survey a total of 1,200 organizations, consisting of 800 covered entities and 400 business associates, as a first step in selecting organizations for a new round of HIPAA audits.  Not all organizations that are chosen to participate in the survey will be audited, as the survey is intended to allow OCR to collect data regarding the number of patient visits, use of electronic information, revenue, and business locations of survey participants in order to assess whether the organizations should be audited. The forthcoming round of HIPAA audits are intended to supplement OCR’s regular compliance efforts through routine complaint and investigation measures, and will likely focus on security risk assessments, breach notification procedures, encryption, staff training, policies and procedures, and compliance program implementation. OCR will revise its existing audit protocols to reflect modifications introduced by the HIPAA Omnibus Rule.  See http://www.gpo.gov/fdsys/pkg/FR-2014-02-24/pdf/2014-03830.pdf for additional information.  

County Government Agrees to Settle Potential HIPAA Violations

On March 7, 2014, HHS announced the first-ever county government settlement of potential HIPAA violations. Skagit County, Washington, agreed to a $ 215,000.00 monetary settlement and to correct deficiencies in its compliance program. OCR investigated Skagit County after receiving a breach report that money receipts containing ePHI for seven individuals were accessed by unknown parties after the data had been moved to a publicly accessible County server.  The investigation revealed a much broader exposure of epHI (up to 1,581 individuals were impacted), as well as disclosure regarding testing and treatment for infectious diseases.  OCR also discovered general and widespread non-compliance of the HIPAA Privacy, Security and Breach Notification Rules by the County. 

Under the corrective action plan, Skagit County will ensure HIPAA compliance by confirming that it has in place written policies and procedures, documentation requirements, and training, as well as providing regular status reports to OCR. In announcing the settlement, HHS emphasized that the settlement is intended to send a strong message about the importance of HIPAA compliance to local and county governments, regardless of size. 

See http://www.hhs.gov/news/press/2014pres/03/20140307a.html for additional information. 

OCR Director Leon Rodriguez Nominated by President Obama to Serve as New Director of the United States Citizenship and Immigration Services

OCR Director Leon Rodriguez has been nominated by President Barack Obama to serve as the new director of the United States Citizenship and Immigration Services, and is likely to be confirmed for the new position by Summer 2014, subject to Congressional approval.  Mr. Rodriguez has led OCR since 2011 and has served as the primary spokesperson of OCR on clarification of HIPAA compliance strategies and audit preparation.  Although the leadership change comes at a crucial time for OCR, as long-awaited HIPAA audits of both covered entities and business associates are anticipated to commence in 2014, it is unlikely to delay or otherwise impact the audits.  Mr. Rodriguez’s successor is likely to be appointed by Kathleen Sebelius, Secretaryof HHS.  

See http://www.himss.org/News/NewsDetail.aspx?ItemNumber=27166&navItemNumber=17425 for additional information.