HHS Expected to Release Significant HIPAA Privacy Guidance This Year; Compliance Audits Proceed; Guide on Compliance Program Effectiveness Released Monday
HIPAA privacy guidance, audits, and enforcement are continuing under the new Administration.
On March 27, 2017, Iliana Peters, Senior Adviser for HIPAA Compliance and Enforcement at the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) spoke about OCR enforcement, current trends, and breach reporting statistics at the Health Care Compliance Association’s Compliance Institute. Peters stated that guidance on “hot button” privacy issues will be a priority for OCR this year. Practitioners can expect to see guidance ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment, according to a Bloomberg report.
OCR is currently in the middle of a round of HIPAA privacy, security, and breach notification audits of 166 covered entities and 43 business associates. Another round of audits is expected after the current set of audits is completed. While the imposition of civil monetary penalties and corrective action plans by OCR has been limited, Peters anticipates an uptick in monetary penalties in the future, Bloomberg reported.
In conjunction with Peters’ presentation, the HHS Office of Inspector General (OIG) released a resource guide on Measuring Compliance Program Effectiveness for healthcare practitioners. The guide is a product of a compliance effectiveness roundtable meeting held in January 2017 in collaboration with the Health Care Compliance Association. The guide is intended to “provide measurement options to a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.”
The 53-page guide provides organizations with a plethora of options regarding what and how to measure in an assessment of the organization’s compliance program. The guide is structured around seven elements of an effective compliance program, including:
- Standards, Policies, and Procedures;
- Compliance Program Administration;
- Screening and Evaluation of Employees, Physicians, Vendors and other Agents;
- Communication, Education, and Training on Compliance Issues;
- Monitoring, Auditing, and Internal Reporting Systems;
- Discipline for Non-Compliance; and
- Investigations and Remedial Measures.
The guide encourages organizations to choose among the options based on each organization’s need. To that end, the OIG stresses that “[u]sing them all or even a large number of the[m] is impractical and not recommended.” While the guide provides new tools to facilitate organizations’ compliance efforts, HIPAA compliance must involve a tailored approach that reflects each organization’s risks and resources; OIG cautions that the new guide is not a “‘checklist’ to be applied wholesale,” as “one size truly does not fit all.”