HIGHLIGHTS:

  • Several recent developments have taken place related to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security compliance requirements, and enforcement is increasing.
  • Now is a good opportunity for covered entities to re-examine their HIPAA compliance programs.
  • Although compliance with HIPAA and other regulations can be daunting, the government has published many resources that can provide assistance.

A number of new developments have taken place related to Health Insurance Portability and Accountability Act (HIPAA) privacy and security compliance, and enforcement is increasing. Healthcare providers, health plans and other covered entities, as well as business associates, should use this opportunity to re-examine their HIPAA compliance programs. Federal government agencies have been busy publishing guidance and resources that may be useful.

Phase 2 of the HIPAA Privacy, Security, and Breach Notification Rules Audit Program

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) required the federal Department of Health and Human Services' Office for Civil Rights (OCR) to audit covered entities and business associates. OCR's initial audit program, developed in 2011 and 2012, assessed 115 covered entities. OCR, for a number of years, has also been conducting complaint-driven compliance investigations, as well as investigations of certain entities that self-reported breaches. On March 21, 2016, OCR announced "Phase 2" of its audit program. Providers and other covered entities have already begun receiving emailed letters asking for updated contact information so that OCR can more effectively communicate with the entities should they be selected for the audit. Failure to respond will not shield a hospital or other covered entity from being included in the audit program, so it is important to check email spam filters to make sure that an email has not been held up in delivery.

OCR intends to audit a broad spectrum of covered entities and business associates of various sizes, types and locations. The audits could be conducted on site or by desk review. Interestingly, OCR will not include entities with an open complaint investigation or compliance review in this program. Covered entities will be asked to provide to OCR a list of business associates, who then could become potential audit targets. OCR has published an optional template that covered entities could use to provide information about business associates. The template calls for 27 data elements for each business associate.

Covered entities and business associates will have only 10 business days to respond to audit requests. A final audit report will be completed within 30 business days after the auditee responds. Depending on the results of the audit, OCR may initiate a compliance review which, presumably, could lead to enforcement action. Even though more stringent state laws that are contrary to HIPAA preempt HIPAA's provisions, OCR has indicated that its audit program will not consider state-specific privacy and security rules.

Updated Audit Protocol

OCR has just released a revamped and updated audit protocol that applies to both business associates and covered entities. It established performance criteria for specific provisions of the HIPAA regulations, and also includes specific questions auditors may ask and documents that may be requested during the audit process. Entities in the healthcare sector could use this protocol to assess their current state of compliance.

Resources for Medical App Developers

Mobile app developers in the healthcare space sometimes have challenges in determining how various laws and rules, including HIPAA, apply to their products. Hospitals and other healthcare providers sometimes have their own mobile apps. In late 2015, OCR launched a website where app developers can ask questions and OCR, as well as members of the public, may post responses. The questions and answers are anonymous. OCR has indicated that comments posted to the site will not subject anyone to enforcement action. Instead, the site is designed to serve as a resource and promote dialogue. Included on the site is a document that discusses specific hypotheticals that might apply to various app designs, and then analyzes how HIPAA might apply to the app.

The Federal Trade Commission (FTC) has developed an interactive decision tool for mobile health apps. It is designed to assist mobile app developers in determining whether HIPAA, the Federal Food, Drug, and Cosmetic Act, the Federal Trade Commission Act, and FTC's Health Breach Notification Rule may apply to their products.

Next Steps

Although compliance with HIPAA and other regulations can be daunting, the government has published these and many other resources that can provide assistance. Regulatory compliance is an ongoing process. In light of the OCR audit program, now would be a good time for healthcare providers and others in the healthcare industry to review and update their compliance programs.