Recent news reports indicate that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is planning to move ahead with its plan to begin proactive HIPAA audits of business associates and covered entities.

In the past, OCR has relied primarily on self-reports of breaches from covered entities (as required by the Breach Notification Rule) as a basis for enforcement actions. However, Section 13411 the HITECH Act directs OCR to conduct periodic audits to ensure that covered entities and business associates are in compliance with the Security Rule. The Security Rule requires covered entities and business associates to protect the integrity and confidentiality of electronic protected health information through implementing physical, administrative, and technical safeguards.

HHS launched a pilot audit program in 2011. However, the OIG has criticized OCR for not implementing this requirement in a timely fashion by moving forward with more widespread audits.

According to news reports, HHS has chosen a vendor for the next phase of the audit program and is verifying contact information for business associates and covered entities to be included under the program. OCR noted that the first audits will mostly consist of desk audits, under which it will ask entities to send in policies and procedures for review, though there may be some in-person audits as well.

Now that audits of internal security policies and procedures are appearing ever more likely and imminent, covered entities and business associate may want to take this opportunity to ensure that these policies are up to date and accord with the Security Rule.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Covington Digital Health Team

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with…

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with lawyers who understand how the regulatory, IP, and commercial pieces of the digital health puzzle fit together is essential. Covington offers unsurpassed breadth and depth of expertise and experience concerning the legal, regulatory, and policy issues that affect digital health products and services. To learn more, click here.