April 21, 2017
We recognize that HIPAA seems like “old news” – the flurry of activity when the law was first passed seems like a long time ago! Recent notices, however, remind us that HIPAA Enforcement is alive and well and settlements in 2016 reached a record $22,855,300 with seven settlements of more than $1.5M
The enforcement is a result of audits (more than 200 ongoing at the moment); and according to TechTarget will focus on the following key areas which OCR will be scrutinizing in audits expected to start this year, and likely continue into 2017, to include:
- Breach notification procedures. Do organizations have policies and procedures for notifying patients and the public after a breach?
- Protocols for protecting data in the event of a breach.
- Risk assessment. Have providers and other covered entities performed thorough analyses of the risk of data breaches or losses?
- Whether business associates are in compliance with HIPAA. In the pilot audit round, OCR only asked providers for lists of business associate contracts.
- Employee training policies.
- Whether organizations have security officers in place.
- Mechanisms and procedures for promptly providing health data to patients.
- Policies for controlling employee access to ePHI.