• E-mail
• Print
• RSS

Is OCR ready to get proactive about HIPAA?

Briefings on HIPAA, September 1, 2016

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

The Office for Civil Rights (OCR) stepped up HIPAA enforcement in a big way this year. The agency handed down more than $5 million in HIPAA settlement fines in one week in March, and in July reached a HIPAA violation settlement with Advocate Health Care in Illinois that carried a $5.55 million monetary payment. OCR kicked off phase two of its HIPAA Audit Program and will likely complete desk audits of covered entities (CE) and business associates (BA) by the end of the year. Comprehensive on-site audits may occur early in 2017.

However, breaches continue to come at a relentless pace and questions have been raised about OCR's handling of HIPAA violations, particularly repeat HIPAA offenders. And a truly permanent HIPAA audit program may not yet be in sight: OCR states that phase two audits will help the agency plan for a permanent audit program but doesn't state when that might launch.

In a September 2015 report (https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf), the Office of Inspector General (OIG) said OCR—and HHS as a whole—should strengthen its oversight of CEs and be proactive rather than reactive in its approach to HIPAA enforcement. The report found that in 26% of closed privacy cases, OCR did not have complete documentation of corrective actions taken by CEs. In addition, OCR's case tracking system has significant limitations and makes it difficult for the agency's staff to check if a CE under investigation has been the subject of previous investigations.

All of this may make some CEs and BAs feel that HIPAA compliance is merely optional, and that leads to a weaker privacy and security culture throughout the industry. Although OCR does take action to make its presence felt, it could do more, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.

"I do believe that OCR is trying to let people know that it considers HIPAA compliance an important objective," he says. "With its guidance and ongoing alerts about the occasional enforcement actions here and there, I see OCR's enforcement a small step above being a paper tiger in terms of how seriously people take it."

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

• E-mail to a Colleague
• Print
• RSS
• Archive