Leon Rodriguez: Permanent HIPAA auditing program will be narrower

The permanent Health Insurance Portability and Accountability Act (HIPAA) auditing program slated to begin next year will be narrower in scope than the 2012 auditing pilot program, according to Leon Rodriguez (pictured), director of the U.S. Department of Health & Human Services' Office for Civil Rights, speaking at the HIMSS Privacy and Security Forum in Boston this week.

For audits and breach investigations, OCR plans to "really look at the level of compliance at both covered entities and business associates," Rodriguez said in his Sept. 23 presentation, according to HealthcareInfoSecurity.

OCR's recently released electronic complaint portal will double the amount of legitimate breach complaints--from 10,000 to 18,000--HealthITSecurity pointed out. "About 90 percent of those complaints have been in regard to HIPAA and most of them do represent justifiable issues," Rodriguez said. "We'll be looking for more efficient ways of tracking cases, determining and prioritizing the most impactful cases for industry-wide learning purposes."

In the pilot program, a lack of thorough risk analysis was found to be a major weakness. Under OCR's permanent program, audits will place a special focus on vulnerabilities that can change from year to year, Rodriguez said.

He also predicted that OCR will leverage more civil penalties, and that banking penalties will give them more funding for auditing and breach analysis.  

"Senior leadership needs to take responsibility for privacy and security," Rodriguez said, according to HealthITSecurity. "It's not enough to delegate those responsibilities to the CIOs or compliance officers."

While yesterday was the first day that healthcare organizations and their business associates needed to be in compliance with the HIPAA omnibus rule unveiled in January, HHS has already made exceptions and delaying certain aspects of the rule.

An announcement from HHS stated that OCR will delay its enforcement of the requirement that "certain HIPAA-covered laboratories revise their notices of privacy practices (NPPs) to comply with the modifications made to the HIPAA Rules published in the Federal Register on Jan. 25, 2013, commonly known as the 'Omnibus Rule,' until further notice."

To learn more:
- read the article in HealthcareInfoSecurity
- read the article in HealthITSecurity

Related Articles:
Despite HIPAA compliance deadline, OCR to delay some requirements
Health group tackles business associate contracts for HIPAA
CIOs: Patient data segmentation will be one of HIPAA's biggest challenges
HHS to provide more HIPAA guidance to covered entities
HHS unveils final HIPAA omnibus rule
HIPAA business associate compliance by EHR vendors not optional

Free Webinar

Take Control of Your Escalating Claim Costs through a Comprehensive Pre-payment Hospital Bill Review Solution

Today managing high dollar claim spend is more important than ever for Health Plans, TPAs, Employers, and Reinsurers, and can pose significant financial risks. How can these costs be managed without being a constant financial drain on your company resources? Our combination of the right people and the right technology provides an approach that ensures claims are paid right, the first time. Register Now!

Suggested Articles

Learn how health plans can demonstrate agility with analytics to shape benefit plans in a time of healthcare transformation.

Here's how the state of Iowa ramped up its efforts to address the social needs of at-risk mothers and children.

AdventHealth has partnered with biotech firm Berg to gain insights on people that have tested positive for COVID-19 and reduce mortality rates.