Health Care Law Blog

Recently, HHS and OCR unveiled their Health Insurance Portability and Accountability Act ("HIPAA") audit protocol (the "Protocol"), which outlined the requirements to be assessed through the audits.  (The Protocol can be accessed on HHS' website.)  The Protocol addressed requirements for the HIPAA Security Rule and HITECH Breach Notification Rule.  Additionally, the protocol covered the HIPAA Privacy Rule's requirements for the following:

• Notice of Privacy Practices for PHI;
• Rights to Request Privacy Protection for PHI;
• Access of individuals to PHI;
• Administrative Requirements;
• Uses and Disclosures of PHI;
• Amendment of PHI; and
• Accounting of disclosures.

Of particular relevance, the Protocol identifies the procedures and questions on which auditors should focus when conducting HIPAA audits.  In doing this, the Protocol emphasizes the issues of particular importance to OCR and reveals areas of potential compliance enforcement concentration.  It also serves as a guideline for health providers to use when reviewing and updating their compliance programs.

In addition to aiding compliance efforts, the Protocol may also help health care providers avoid significant financial penalties. One of the HITECH Act's most daunting provisions greatly increased penalties for HIPAA violations occurring after February, 2009. The civil money penalties for violating HIPAA privacy standards, which were previously set at $100 per violation with an annual cap of $25,000, have been increased to $50,000 per violation with an annual $1,500,000 cap.

For more information about how to utilize the audit Protocol to update and streamline your compliance program, please contact one of Foster Swift’s health care law experts.