HHS-OCR has updated its website with guidance on two important and current issues: ongoing HIPAA audits and deidentification. After officially launching phase two of its audit program earlier this month, sending notification letters to 167 covered entities, HHS-OCR has posted updated guidance on its website regarding the audits. Unrelated to the audits, OCR also posted guidance on the treatment of unique device identifiers (UDIs) under HIPAA’s standards for de-identification and limited data sets.
On July 13, shortly after notification letters were sent, HHS-OCR held a webinar to explain the audit process to affected organizations. In an email, HHS-OCR clarified that desk audits, which will begin for business associates in late September 2016, “require entities to submit documentation of their compliance with requirements of the notice of privacy practices, access, breach notification, risk analysis and risk management standards.” Among other documentation, OCR requests a copy of all notices posted on a covered entity’s website and within its facility, as well as the notice distributed to individuals, in place as of the end of the previous calendar year.
In response to questions from the webinar, HHS-OCR posted three additional guidance documents on its website. The documents included a comprehensive list of questions and answers from the webinar, a detailed list of audit requests paired with related questions and rule requirements, and slides from the webinar. For example, OCR clarified that covered entities should not produce medical records in response to OCR’s request for documentation of requests for access by individuals to their own Protected Health Information. These materials could prove useful to covered entities and business associates seeking to improve their compliance with the HIPAA requirements.
In a separate FAQ posted July 27, HHS-OCR clarified that the device identifier portion of UDIs may be shared as part of a deidentified or limited data sets, as long as the data does not contain specific production identifiers or device-specific serial numbers, because it is not the type of device identifier to which HIPAA Privacy Rule provisions refer. The device identifier portion of the UDI is a model or version number of a device and not unique to a specific device. However, a production identifier, also part of the UDI, is a “device identifier” under HIPAA rules and may not be shared in the same way. This guidance holds the potential to help both researchers studying the effectiveness of medical devices as well as medical professionals who need to respond quickly to medical incidents related to devices.