Since the year 2015, the HHS Office for Civil Rights has sanctioned 6 healthcare covered entities with corrective action policies and financial fines for huge violations of the HIPAA privacy and security principles.
While OCR’s operations are partly funded through HIPAA fines, the ramped up activity seems to be more over clearing out a backlog of HIPAA inquires of breaches prior to the year 2013, claims Valerie Breslin Montague and Laurie Cohen, and both partners at the Nixon Peabody law firm.
Clearing the backlog of previous inquiries will let OCR move on to investigations of breaches that happened after the new rules in the year 2013 that provided the agency authority to regulate business associates, which are a huge source of breaches and a present focus of OCR for compliance or agreement with HIPAA. The 2013 rules also included latest needs or requirements in such places as marketing and genetic testing.
As this new sector of HIPAA compliance enforcement starts, it is significant for covered entities and business associates to identify that how they respond to initial OCR questions goes a long way toward how OCR will respond in kind.
When OCR inquires breach, it looks at the totality of compliance or agreement and whether there is a culture in the agency around privacy and security. Agencies responding rapidly to a breach and to OCR inquiries as it investigates the breach are indicating the suitable culture, Breslin Montague notes.
OCR announcements or declarations of HIPAA fines and corrective action polices send a message to the industry, but also are an instructive moment, in accordance to Cohen. Nixon Peabody uses the announcements to discuss with clients about such problems as who is receiving their protected health data and has the client assessed the recipient’s ability to secure it, and the requirement for the client to regularly reassess their risk analysis.
For example, OCR’s latest sanction of North Memorial Health Care, which included a $1.55 million fine and a corrective action policy, is instructive for other covered entities due to its focus on business associate agreements.
“Various covered entities take a prophylactic access to managing their business associates agreements by sending such agreements to all of their vendors regardless of whether the vendors will be offered approach to PHI,” Nixon Peabody informed the clients in a recent notification. “The North Memorial Resolution Agreement, however, recommends that OCR hopes covered entities to have a more deliberate procedure to assess who is and who is not a business associate.”
No comments:
Post a Comment