OCR, which hired the consulting firm Booz Allen Hamilton to help design the auditing program, "is still working through what will give us the most bang for the buck," Greene said. For example, it's still weighing whether to audit a random sample of healthcare organizations or "going wider," he said.
Last May, another official at the Office for Civil Rights expressed hope the program would be launched by the end of 2011.
Greene also reiterated that the final version of rules to modify HIPAA privacy, security and enforcement rules will be issued at the same time as a final version of the breach notification rule. But again, he wouldn't say when those rules would be unveiled, other than to say they would be issued this year.
But he acknowledged that a rule governing how to provide an accounting to patients about disclosure of information from electronic health records to those outside of the organization that created them would likely be the first to be issued this year.
At the HIMSS Conference on Feb. 20, Lisa Gallagher, senior director of privacy and security at HIMSS, said that the disclosure rule would likely be issued in March, with the HIPAA modifications and the breach rule likely to come out in the second half of the year.
Compliance AdviceAlthough HIPAA and the HITECH Act don't explicitly mandate the use of encryption, Greene stressed that the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate." He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."
Greene also noted that in addition to the more than 200 reports of major health information breaches affecting 500 or more individuals reported to OCR so far, the office had received more than 14,000 reports of smaller breach incidents as of the end of 2010.
Because a majority of cases have involved the theft or loss of devices, he urged attendees not to "underestimate the value of physical and administrative safeguards"
And although the proposed HIPAA modifications would extend compliance requirements to business associates, Greene said that hospitals, clinics and insurers still should sign business associate agreements. "It's an important opportunity to clarify their roles," he said.