HHS OCR has focused heavily on compliance with the HIPAA rules on
individual access of information, with approximately one enforcement
settlement per month since September of 2019 (more than two dozen
settlements so far), and the new Information Blocking rules provide a
fresh impetus for HHS to keep up the pressure. At the same time,
enforcement actions continue for other violations, such as improper
release of patient information, systemic noncompliance, lack of security
risk analysis, and improperly addressed business relationships between
affiliated entities.
Recent enforcement actions show a willingness for HHS to work in
conjunction with State Attorneys General to bring about settlements for
violations of several laws at once, a new emphasis on the importance of
prompt action on requests for individual access of Protected Health
Information (PHI), and a new crack-down on doctors’ responding to
patients’ social media posts and including PHI in the posting.
New guidance from HHS about the liability of Business Associates for
compliance makes it more clear what Business Associates are liable for,
and what responsibilities for HIPAA compliance remain in the Covered
Entities’ hands. Both Covered Entities and Business Associates need to
be prepared for the enforcement distinctions and responsibilities.
In this session we will discuss the enforcement actions that have
been taken, and the lessons that can be learned from those actions. We
will explore what kind of issues were most prevalent and what kind of
entities had the most problems, and show where entities need to improve
their compliance the most based on real enforcement experience.
Even though the HIPAA audit program is on hold for at least the time
being, that doesn’t mean there will be no enforcement of the HIPAA
rules. In fact, preparing for a HIPAA Audit is one of the best ways to
be ready to respond to any enforcement action, and going through an
internal HIPAA Audit will help you find issues before they become
problems that can lead to penalties.
USDHHS has published a protocol for the HIPAA audits, so it is
possible to know how to prepare for an audit or enforcement review.
Nearly any health care covered entity may be subject to an audit or
enforcement investigation; all entities need to know what kinds of
questions they’ll be asked, what information they'll need to provide and
how to prevent issues that could lead to violations and fines. Being
ready to reply to an inquiry can help minimize potential penalties.