
Health Care Law Blog
The Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), passed in 2009, imposed new requirements on health care providers (among others) related to the privacy and security of Protected Health Information ("PHI"). Included in the HITECH Act's requirements was a mandate that the Department of Health and Human Services’ ("HHS") Office for Civil Rights ("OCR") conduct audits to analyze the processes, controls and policies of certain covered entities. The pilot program for such audits began in 2011 and will conclude in December, 2012.
Recently, HHS and OCR unveiled their Health Insurance Portability and Accountability Act ("HIPAA") audit protocol (the "Protocol"), which outlined the requirements to be assessed through the audits. (The Protocol can be accessed on HHS' website.) The Protocol addressed requirements for the HIPAA Security Rule and HITECH Breach Notification Rule. Additionally, the protocol covered the HIPAA Privacy Rule's requirements for the following:
- Notice of Privacy Practices for PHI;
- Rights to Request Privacy Protection for PHI;
- Access of individuals to PHI;
- Administrative Requirements;
- Uses and Disclosures of PHI;
- Amendment of PHI; and
- Accounting of disclosures.
Of particular relevance, the Protocol identifies the procedures and questions on which auditors should focus when conducting HIPAA audits. In doing this, the Protocol emphasizes the issues of particular importance to OCR and reveals areas of potential compliance enforcement concentration. It also serves as a guideline for health providers to use when reviewing and updating their compliance programs.
In addition to aiding compliance efforts, the Protocol may also help health care providers avoid significant financial penalties. One of the HITECH Act's most daunting provisions greatly increased penalties for HIPAA violations occurring after February, 2009. The civil money penalties for violating HIPAA privacy standards, which were previously set at $100 per violation with an annual cap of $25,000, have been increased to $50,000 per violation with an annual $1,500,000 cap.
For more information about how to utilize the audit Protocol to update and streamline your compliance program, please contact one of Foster Swift’s health care law experts.
- Shareholder
With a business-minded approach, and service-oriented delivery, Mindi helps clients navigate challenges and solve problems in the areas of employee benefits law and health care law. Mindi has spoken and written extensively on ...