ARTICLE
8 March 2017

Privacy and Security Audits May Be Moving From Education to Enforcement

DP
Day Pitney LLP

Contributor

Day Pitney LLP logo
Day Pitney LLP is a full-service law firm with more than 300 attorneys in Boston, Connecticut, Florida, New Jersey, New York and Washington, DC. The firm offers clients strong corporate and litigation practices, with experience on behalf of large national and international corporations as well as emerging and middle-market companies. With one of the largest individual clients practices on the East Coast, the firm also has extensive experience assisting individuals and their families, fiduciaries and tax-exempt entities plan for the future.
Explore
A March 2 article in Bloomberg BNA's Privacy Law Watch and other publications, "Privacy and Security Audits May Be Moving From Education to Enforcement," reported that the Department of Health and Human Services' Office for Civil Rights' (OCR's) ongoing HIPAA privacy and security audits may be shifting focus from provider education to enforcement.
United States Food, Drugs, Healthcare, Life Sciences
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

A March 2 article in Bloomberg BNA's Privacy Law Watch and other publications, "Privacy and Security Audits May Be Moving From Education to Enforcement," reported that the Department of Health and Human Services' Office for Civil Rights' (OCR's) ongoing HIPAA privacy and security audits may be shifting focus from provider education to enforcement. All healthcare providers and business associates, not only OCR audit subjects, must ensure that their compliance and operational teams are working together to detect vulnerabilities. Day Pitney's Eric Fader was quoted in the article.

While OCR's official statements have consistently referred to the HIPAA audits as being primarily educational, for OCR to determine the industry's overall level of compliance and identify problem areas, Eric has long stated his belief that if in the course of an audit OCR discovers an egregious violation, the audit will be swiftly converted into an enforcement action. He told Bloomberg BNA, "If and when the phase two desk audits results reveal other types of problems that OCR hasn't yet considered, we're likely to see those problems highlighted in settlements, perhaps with some sort of guidance published by the OCR either previously or concurrently."

Eric predicted that the increased number and size of HIPAA settlements that we saw throughout 2016 will continue through 2017, and that it would not be surprising to see OCR increase cooperation with other agencies, like the U.S. Food and Drug Administration and the Federal Trade Commission, to expand the breadth of HIPAA enforcement and education.

Eric also noted that Deven McGraw, OCR's Deputy Director for Health Information Privacy, recently acknowledged that the onsite audit portion of the Phase 2 audits won't begin until the end of 2017 at the earliest, and may even "slip into 2018." McGraw stated that OCR would like to review the results of the desk audit portion of Phase 2, and also obtain input from new HHS Secretary Tom Price, before starting the onsite audits.

For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Day Pitney LLP
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More