Health Information Management

Q&A with OCR: We investigate all 500-plus HIPAA breaches

HIM-HIPAA Insider, March 19, 2012

The following is a Q&A between HCPro, Inc. and an Office for Civil Rights (OCR) spokesperson. HCPro, Inc. Senior Managing Editor Dom Nicastro sent the questions to OCR when news broke Tuesday, March 13, about the $1.5 million settlement between Blue Cross Blue Shield of Tennessee and OCR for HIPAA violations.

HCPRO: Were it not for the HITECH requirement to report 500-plus breaches to OCR/media, is there a chance OCR may not have known about this breach?

OCR: Pre-HITECH, a patient may have learned about an impermissible disclosure through a request for accounting of disclosures or if state law required notification. The individual could have then filed a complaint with OCR. This case underscores the important utility of the breach reporting notification to bring these incidents to light.

HCPRO: As for the breach itself, what kind of steps can entities take to ensure this doesn’t happen?

OCR: The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to evaluate risks and vulnerabilities in their environments and to implement policies and procedures to address those risks and vulnerabilities. Both risk analysis and risk management are standard information security processes and are critical to a covered entity’s Security Rule compliance efforts. OCR has posted guidance on the risk analysis requirements under the Security Rule to our website. A meaningful HIPAA compliance program includes up-to-date policies and procedures, a well-documented training program, regular internal audits, and ongoing monitoring.

Read the rest of the Q&A with OCR on HIPAA Update.

 

Most Popular