As promised, the Office of Civil Rights (OCR) has continued its aggressive agenda of enforcement while providing some guidance to all covered entities, much of which will be useful to those entities subject to the upcoming desk audits.

In the area of enforcement, OCR recently announced two substantial settlements. In March, the Feinstein Institute for Medical Research agreed to a $3.9 million dollar settlement. Feinstein had filed a breach report explaining that a laptop containing electronic Protected Health Information (ePHI) of approximately 13,000 patients was stolen from an employee’s car. Subsequent investigation by OCR found that Feinstein’s security management process was incomplete and insufficient in addressing potential risks and vulnerabilities, as well as a lack of policies governing various forms of employee authorization restrictions.

In another settlement, North Memorial Health Care of Minnesota agreed to a $1.55 million settlement for violations of HIPAA Privacy and Security rules after a laptop was stolen from a contractor. OCR found that North Memorial failed to enter into a Business Associate Agreement (BAA) with the contractor, and had failed to institute an organization-wide security risk analysis, as required by the HIPAA Security Rule.

Once again, readers are reminded of the requirement to conduct a security risk analysis, document the findings, and move forward implementing a security plan. In the alternative, maintain sufficient cash reserves.

In a recent conference on cybersecurity, Deven McGraw, Deputy Director for Health Information Policy in the Health and Human Services Office for Civil Rights, explained that the pool of desk audit targets is nearly complete, and it will include law firms in addition to the traditional categories of covered entities.

OCR recently released a revamped audit protocol, covering the following areas: (i) notice of privacy practices (NPP); (ii) a log of any requests for privacy protection of PHI; (iii) a log documenting requests by individuals to their PHI; (iv) uses and disclosures of PHI; (v) compliance with administrative requirements; and (vi) an accounting of disclosures.

Audits will also address compliance with the Security Rule requirements for administrative, physical and technical safeguards, and Breach Notification Rule requirements.

The audit protocol can be reviewed here:

OCR also released other materials that deal with the logistics of the audit process, including an audit pre-screening questionnaire. This questionnaire can be reviewed here:

Entities that are selected for audit will be required to identify and provide detailed information regarding their Business Associates. This information will be used to identify those Business Associates who will be subject to audit. To facilitate this process, OCR released a template that Business Associates will have to provide. The template can be reviewed here:

We advise covered entities and their Business Associates to begin reviewing their readiness for an audit, should they be chosen, and have the appropriate materials ready for submission. An entity or Business Associate chosen for audit will have only 10 days to respond.