The permanent Health Insurance Portability and Accountability Act (HIPAA) auditing program slated to begin next year will be narrower in scope than the 2012 auditing pilot program, according to Leon Rodriguez (pictured), director of the U.S. Department of Health & Human Services' Office for Civil Rights, speaking at the HIMSS Privacy and Security Forum in Boston this week.
For audits and breach investigations, OCR plans to "really look at the level of compliance at both covered entities and business associates," Rodriguez said in his Sept. 23 presentation, according to HealthcareInfoSecurity.
OCR's recently released electronic complaint portal will double the amount of legitimate breach complaints--from 10,000 to 18,000--HealthITSecurity pointed out. "About 90 percent of those complaints have been in regard to HIPAA and most of them do represent justifiable issues," Rodriguez said. "We'll be looking for more efficient ways of tracking cases, determining and prioritizing the most impactful cases for industry-wide learning purposes."
In the pilot program, a lack of thorough risk analysis was found to be a major weakness. Under OCR's permanent program, audits will place a special focus on vulnerabilities that can change from year to year, Rodriguez said.
He also predicted that OCR will leverage more civil penalties, and that banking penalties will give them more funding for auditing and breach analysis.
"Senior leadership needs to take responsibility for privacy and security," Rodriguez said, according to HealthITSecurity. "It's not enough to delegate those responsibilities to the CIOs or compliance officers."
While yesterday was the first day that healthcare organizations and their business associates needed to be in compliance with the HIPAA omnibus rule unveiled in January, HHS has already made exceptions and delaying certain aspects of the rule.
An announcement from HHS stated that OCR will delay its enforcement of the requirement that "certain HIPAA-covered laboratories revise their notices of privacy practices (NPPs) to comply with the modifications made to the HIPAA Rules published in the Federal Register on Jan. 25, 2013, commonly known as the 'Omnibus Rule,' until further notice."
To learn more:
- read the article in HealthcareInfoSecurity
- read the article in HealthITSecurity
Despite HIPAA compliance deadline, OCR to delay some requirements
Health group tackles business associate contracts for HIPAA
CIOs: Patient data segmentation will be one of HIPAA's biggest challenges
HHS to provide more HIPAA guidance to covered entities
HHS unveils final HIPAA omnibus rule
HIPAA business associate compliance by EHR vendors not optional