Attorneys for the law firm Ropes & Gray published an alert stating that, “On June 26, 2012, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) posted on its website the protocol it developed to serve as a guideline for the recently-implemented Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) compliance audits.”
They go on to explain, “Mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, these audits are conducted as part of the new OCR HIPAA Audit program (the “Audit program”). Launched in late 2011, the Audit program is intended to assess covered entities’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The Audit program signals a major shift in HIPAA enforcement, ushering in a new era of proactive oversight and enforcement, and a departure from the largely reactive and complaint-based enforcement activity of the past.”
Basically, the protocol guides government auditors to conduct a comprehensive review of compliance efforts by covered entities (employer health plans are considered covered entities).
HITECH increased civil penalties for willful neglect. These penalties can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million. Furthermore, under certain conditions HIPAA’s civil and criminal penalties now extend to business associates.
In order to determine audit readiness and general HIPAA compliance, covered entities and business associates should proactively develop a work plan to review their operations in light of the specifications identified in the protocol.