OCR Shares Preliminary HITECH Audit Results; What Regulated Entities Can Expect Next

Author:Ms M. Daria Niewenhous
Profession:Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings, what regulated entities can expect next and suggestions for covered entities concerned about being audited. Mintz Levin attended the conference and is pleased to share some of the highlights below:

The initial round of audits included 8 health plans, 10 providers, and 2 clearinghouses.

Providers had the most findings (81%). Provider findings were both privacy and security related. The most common privacy findings included misuse of the PHI of deceased individuals, compliance with the patient confidential disclosures right, disclosures for judicial proceedings, compliance with the patient access right, failure to follow policies and procedures, no evidence of policy and procedure implementation, insufficient policies and procedures, failure to review and update policies on an ongoing basis, and failure of the organization to prioritize HIPAA compliance. The most common security findings included insufficient contingency planning, insufficient user activity monitoring, and failure to conduct and/or to update risk assessments. Business associates were not included in OCR's preliminary round of audits, but will be targeted in later rounds OCR is refining its audit protocol and will be posting it soon...

To continue reading