HIPAA Enforcement Stepped Up by HHS/OCR

April 21, 2017

We recognize that HIPAA seems like “old news” – the flurry of activity when the law was first passed seems like a long time ago! Recent notices, however, remind us that HIPAA Enforcement is alive and well and settlements in 2016 reached a record $22,855,300 with seven settlements of more than $1.5M The enforcement is a result of audits (more than 200 ongoing at the moment); and according to TechTarget will focus on the following key areas which OCR will be scrutinizing in audits expected to start this year, and likely continue into 2017, to include:
  • Breach notification procedures. Do organizations have policies and procedures for notifying patients and the public after a breach?
  • Protocols for protecting data in the event of a breach.
  • Risk assessment. Have providers and other covered entities performed thorough analyses of the risk of data breaches or losses?
  • Whether business associates are in compliance with HIPAA. In the pilot audit round, OCR only asked providers for lists of business associate contracts.
  • Employee training policies.
  • Whether organizations have security officers in place.
  • Mechanisms and procedures for promptly providing health data to patients.
  • Policies for controlling employee access to ePHI.