By: Denise Smith, Senior Accountant 

The Health Insurance Portability and Accountability Act (HIPAA) established standards for sharing, using and disclosing individuals’ personal health information (PHI).  The Office for Civil Rights (OCR) is responsible for enforcing compliance with HIPAA standards.

HIPAA violations can occur in many ways, some examples:  a health care provider giving details to a family member of a patient, without first getting written permission;  theft or loss of an electronic device or laptop which is not encrypted; improper storage or destruction of paper files;  an employee accessing medical information of a friend or acquaintance out of curiosity.

Recently, the Office of the Inspector General (OIG) reviewed the Office for Civil Rights oversight of HIPAA compliance.  The OIG found that OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule contained in HIPAA.  It also found that OCR’s oversight is primarily reactive – investigating reports of noncompliance in response to complaints, and that OCR has not fully implemented a required audit program that will proactively assess noncompliance with HIPAA.

Among the five recommendations from the OIG report, was that OCR should implement a permanent audit program that proactively assesses noncompliance with HIPAA.  OCR concurred and said it will be launching Phase 2 of its audit program in early 2016.  Phase 2 will involve testing the effectiveness of desk reviews of policies as well as on-site reviews.

Now is the time to make sure that you have HIPAA policies in place, and that your employees are familiar with those policies.  More information on the HIPAA privacy rule and enforcement can be found at www.hhs.gov/ocr/hipaa.

Holbrook & Manter’s healthcare team can assist you in matters regarding HIPAA. Contact us today.