HIPAA Enforcer Reveals Audit Timeline

OCR's Leon Rodriguez Discusses Next Phase of Program

By , December 14, 2012.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
HIPAA Enforcer Reveals Audit Timeline
 

Listen Now

HIPAA compliance audits will resume within about a year once results of a recently completed pilot program are reviewed, says Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights.

"We are now ... evaluating our [audit pilot] findings ... but also the audit [process] itself to determine what our permanent program is going to need to look like," Rodriguez says in an interview with HealthcareInfoSecurity. His comments came following a presentation at the HIMSS Privacy & Security Forum in Boston Dec. 13.

"My best guess is that [audits] will continue either in the latter part of 2013 ... [or] certainly by 2014, we'll be back in the business again," the nation's chief HIPAA enforcer says. "A lot depends on what our resources look like."

Penalties Coming

Monetary penalties that OCR imposes as a result of its various HIPAA enforcement actions will fund continuation of the audit program, he notes. Over the last year, OCR has collected about $4 million in a handful of settlements.

And be warned: Rodriguez says healthcare organizations should expect to see OCR issue more and larger monetary penalties for HIPAA non-compliance in the months to come. OCR has an "inventory" of ongoing investigations that Rodriguez expects will conclude with monetary settlements.

"What we've been learning from the monetary settlement cases we've done so far is that there is plenty of non-compliance out there, plenty of room for improvement." Rodriguez says.

In 2012, 115 HIPAA audits were performed by the consulting firm KPMG, which OCR hired to conduct the pilot, mandated by the HITECH Act. OCR's next wave of HIPAA audits and non-compliance investigations will likely focus on problem areas discovered during previous breach investigations and the audit pilot program, Rodriguez says.

Common compliance weaknesses include a lack of a timely and thorough risk analysis, insufficient or outdated processes and procedures to prevent and resolve breaches and insufficient HIPAA training for staff.

HIPAA Modifications

In the interview, Rodriguez is far less specific about when a pending omnibus package of regulations, including HIPAA modifications, will be published. "We're hopeful that we'll be in a position to issue it soon," he says. The Office of Management and Budget has been reviewing the regulations since March.

The package will include modifications to the HIPAA privacy, security and enforcement rules; a final version of the HIPAA breach notification rule; and a measure spelling out that using genetic information for insurance underwriting purposes is a privacy violation as well as discriminatory under the Genetic Information Non-Discrimination Act.

The proposed HIPAA modifications will require business associates and their subcontractors to comply with the HIPAA Security Rule. Once the omnibus package is published, business associates will have just 180 days to comply, Rodriguez stresses.

In the interview, Rodriguez also:

  • Describes what OCR looks for in its investigations. "It's a menu of common sense steps, not a particular technological solution," he says.
  • Offers an update on the pending accounting of disclosures rule. OCR is still evaluating a large volume of comments received about a proposed version of the rule, which called for providing patients, upon request, with a report of who has accessed their records, he says.
  • Outlines specific steps healthcare organizations should take to improve their HIPAA compliance.

As head of the HHS Office for Civil Rights, Rodriquez is the nation's lead HIPAA enforcer. The agency oversees the ongoing HIPAA compliance audit program. Before joining OCR in 2011, Rodriguez was the chief of staff and deputy assistant attorney general for the Department of Justice's Civil Rights Division. From May 2007 to January 2010, he served as the county attorney for Montgomery County, Md.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FCC Allows Exemption for Fraud Alerts

The FCC's new rule aimed at giving consumers the opportunity to opt out of voice and text alerts...

Latest Tweets and Mentions

ARTICLE FCC Allows Exemption for Fraud Alerts

The FCC's new rule aimed at giving consumers the opportunity to opt out of voice and text alerts...

The ISMG Network