Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR.
That same day they also announced they were expanding the HIPAA “privacy enforcement team.” (Scroll down on this page to see the full verbiage of the announcement.)
If the consolidation of the compliance responsibilities under one office didn’t convince you that HIPAA, and HITECH Act, compliance actions would be stepped up, then this certainly should.
There are also additional indications that the OCR be doing many more HIPAA compliance audits. In 2008 the CMS contracted PwC auditors to perform HIPAA audits, and then they contracted Quality Software Services, Inc (QSSI) to do compliance reviews in 2009.
These contracted audits will likely continue, even under the OCR, since they are not “complaint based” audits that the newly hired privacy folks will likely be performing based upon the job descriptions, but rather the semi-surprise audits that are not complaint-based, but are performed based upon covered entity type and location and are meant to improve compliance and generally see if HIPAA (and now HITECH Act) requirements are being followed, are understood, etc.
It is very interesting, and good to see from the CMS information about the audits, that the HHS is following the same type of compliance audit activities that I’ve performed in my 150+ information security and program audit reviews! 🙂
The CMS has reported that some of the most common HIPAA compliance violations include lack of:
- HIPAA Security Policies and Procedures
- Business Associate Agreements
- Encryption of ePHI on mobile devices
- HIPAA Security Training
Basic elements of an information security and privacy program!
So, from a compliance standpoint, should covered entities (CEs) and business associates (BAs) be less concerned about the consolidation of security rule and privacy rule oversight under OCR since the OCR doesn’t have a reputation of coming down hard on providers?
No. This move means that, even though to date they have not taken action, a trigger has been pulled to be more aggressive with compliance actions and penalties. The fact that the penalties were increased through the HITECH Act modifications point to greater fines and penalties coming soon.
HIPAA CEs and now BAs (estimated to be around 650,000 BAs in the U.S.) need to review their information security and privacy programs now and make sure they are in compliance!
Here is the HHS privacy enforcement team expansion announcement:
Announcement
August 3, 2009
HHS is expanding its health information privacy enforcement team.
These new positions are located in the Department of Health and Human Services (DHHS), Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP). OCR provides the oversight, leadership, and coordination necessary to ensure that individuals have nondiscriminatory access to HHS services or programs and that the privacy of their health information is protected. The Division of Health Information Privacy enforces the HIPAA Privacy Rule and the confidentiality provisions of the Patient Safety and Quality Improvement Act.
For more information on these available positions, go to http://www.usajobs.gov/ and enter the corresponding job announcement number.
Titles and job announcement numbers:
Health Information Privacy Specialist, GS-301-13/14 HHS-OS-14-2009-0012
Health Information Privacy Specialist, GS-301-13/14 HHS-OS-14-2009-0013
The open period for these positions is Friday, July 31, 2009 to Thursday, August 13, 2009.
For more information about the health information privacy activities of OCR, visit our web site at http://www.hhs.gov/ocr/privacy/index.html.
Tags: awareness and training, breach law, breach notification, breach response, HIPAA, HITECH Act, Information Security, IT compliance, IT training, patient privacy, personally identifiable information, PII, policies and procedures, privacy training, security training