The Office of Inspector General for the U.S. Department of Health and Human Services (“HHS”) recently released a report that recommends the HHS’s Office for Civil Rights (“OCR”) strengthen its oversight of covered entities’ compliance with the Privacy Rule under the Health Insurance Portability and Accountability Act (“HIPAA”). One specific recommendation is that OCR fully implement the audit program required under the Health Information Technology for Economic and Clinical Health (“HITECH“) Act, so that OCR can proactively gauge HIPAA compliance, rather than launching investigations of covered entities’ privacy practices solely in response to complaints, tips, or media reports of possible noncompliance. Responding to these recommendations in a letter dated September 23, 2015, the Director of OCR stated that the second phase of the HIPAA audit program will be launched in early 2016. According to that letter, the upcoming round of audits will (1) include both “desk reviews of policies” and on-site reviews, (2) target common areas of noncompliance, and (3) include reviews of HIPAA business associates. Taking into account this new audit program and the costly and burdensome settlement agreements that HHS already has entered into with noncompliant covered entities (including employer-sponsored group health plans), plan sponsors should review compliance with HIPAA’s privacy and security standards on a regular basis.
The Office of Inspector General’s report, including OCR’s response, is available here.