Corporate Compliance

OIG announces HIPAA compliance Work Plan

Compliance Monitor, October 19, 2011

The OIG plans to focus on HIPAA compliance reviews of security controls in Medicaid programs and federal oversight of two key HIPAA regulations as part of its Fiscal Year 2012 Work Plan released this month.

The OIG cited four HIPAA target areas it will review during the next 12 months:

• States’ data security requirements under business associate agreements
• Medicaid security controls over state web-based applications
• OCR oversight of the HIPAA Privacy Rule
• OCR oversight of the HITECH breach notification rule

Medicaid management information systems (MMISs) business associate agreements. The report states it will review CMS’s oversight activities related to data security requirements of state programs that process and pay claims for Medicaid benefits.

In other words, the auditor wants to ensure business associates comply with the HIPAA Security Rule.

“We will determine whether business associate agreements have been properly executed to protect beneficiary information, including safeguards implemented pursuant to federal standards,” OIG writes.

Medicaid security controls over state web-based applications. Because Medicaid providers electronically submit claims, the OIG wants to determine whether they contain any vulnerabilities that could affect the “confidentiality, integrity, and availability” of the Medicaid claims’ PHI. Electronic claims transactions may contain PHI, OIG reports, as defined under regulations that also define “health plan” to include Medicaid.

“Medicaid programs must comply with the security standards set forth … (in) the HIPAA Security Rule,” OIG writes. “We will use an application security assessment tool in conducting this review.”

OCR oversight of the HIPAA Privacy Rule. The OIG says it will review OCR’s investigation policies and assess OCR’s oversight to ensure that covered entities are complying with the Privacy Rule.

OCR oversight of the HITECH breach notification rule. The interim final rule on breach notification requires that covered entities notify affected individuals, the Secretary of HHS, and, when required, the media, following the discovery of a breach in unsecured PHI.

“We will review OCR’s policies for investigating breaches reported by covered entities and determine whether Medicare Part B-covered entities have policies or plans in place to mitigate breaches,” OIG wrote in its report.

Check out this post and more at HIPAA Update blog.

Most Popular