The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

Recently, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) released its Work Plan for Fiscal Year 2015 (“Work Plan”).  The OIG protects the integrity of HHS programs by identifying fraud and abuse and by suggesting improvements to HHS programs.  The Work Plan informs the public of new and ongoing reviews that OIG plans to pursue during the current fiscal year.

For Fiscal Year 2015 and beyond, OIG intends to focus on emerging payment, eligibility, management, and IT systems security vulnerabilities in the ACA programs, such as the health insurance marketplace.  OIG stated that it would also focus on the efficiency and effectiveness of payment policies in inpatient and outpatient settings, for prescription drugs, and in managed care.

Some specific new items of note include: (1) identifying clinical laboratories that routinely submit improper Medicare claims, (2) reviewing the rate of and reasons for transfers from group homes or nursing facilities to emergency departments as a potential indicator of poor quality, (3) identifying Medicaid MCO payments made on behalf of deceased or ineligible beneficiaries, and (4) assessing the extent to which hospitals comply with the contingency planning requirements of HIPAA.

The Work Plan is a valuable resource annually published by the OIG for providers to identify potential compliance risk areas.

Cozen O’Connor recently published another blog of the Work Plan with the Work Plan’s specific focus on HIPAA and/or information technology that the OIG will examine and address during Fiscal Year 2015.

Daily news stories about data breaches and enforcement actions seem to be the new norm, so it’s no surprise that people may start to believe that hackers have won the war and that no personal health information is safe. But exactly how many breaches have been reported in the last several years? And were the breaches the result of nefarious plots or just plain incompetence? About how many HIPAA investigations has the government actually launched?

Rest assured, Congress has been asking similar questions as well. The HITECH Act requires the Department of Health and Human Services Office for Civil Rights (OCR) to submit annual reports to Congress that provide contextualized information about incident rates and government action; OCR published its most recent two reports on Breaches of Unsecured Protected Health Information (Breach Report) and HIPAA Privacy, Security, and Breach Notification Rule Compliance (HIPAA Compliance Report).  In addition to including cumulative data, the reports cover relevant activities that occurred between January 1, 2011, and December 31, 2012. Continue reading…

As we’ve discussed in previous articles,[1] and as you are no doubt aware by now, the Health Insurance Portability and Accountability Act (HIPAA) recently received a significant facelift.  In addition to extending direct liability to business associates and subcontractors, the updated HIPAA regulations (Updated Regulations), which were authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH), contain many new provisions to address growing privacy concerns for the increasing amount of protected health information (PHI) stored on electronic media.  Covered entities and their business associates and subcontractors must comply with the Updated Regulations by September 23, 2013.  In order to help you prepare for the September 23, 2013 compliance deadline, this article (1) explains the difference between two important compliance deadlines contained in the Updated Regulations, (2) suggests a 5-step process to efficiently update and/or create compliant HIPAA policies and procedures, and (3) discusses a few observations we’ve made as we’ve helped our clients prepare for the September 23, 2013 compliance deadline. Continue reading…

While the implementation of compliance programs to encourage the development and use of internal controls to monitor adherence of the health care industry to applicable statutes, regulations, and program requirements has long been considered a best practice, the Patient Protection and Affordable Care Act (“ACA”) has made them mandatory. Continue reading…