Subscribe to the Privacy Headline RSS feed | Subscribe to the Privacy Headline feed via EmailBNA INSIGHTS: The Top Health Care Privacy Issues to Watch in 2012
December 24, 2011 in Privacy & Security Law Report · Leave a Comment
By Kirk J. Nahra, Wiley Rein LLP, Washington
There’s a lot going on in the health care world today. Perhaps because of ongoing health care reform developments and the long-standing delay in issuing final amendment to the Health Insurance Portability and Accountability Act rules, the topic of health care privacy has been relatively quiet in 2011, as companies appear to be awaiting the final changes before making appropriate revisions to their privacy and security programs. What should we be watching for on health care privacy and security in 2012 (aside from the basic question of when the final rules amending the HIPAA regulations, which was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, will be issued)?
• The HIPAA Audit Program
As a component of its HITECH Act obligations, the Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it was commencing an audit program to review overall compliance with HIPAA and HITECH Act obligations. One hundred and fifty audits will be conducted before the end of 2012, in two phases (following an initial phase that developed an audit protocol). The first phase will involve a “limited number” (according to HHS) of audits to “test these protocols.” Following this initial test, the remainder of the 150 audits will be conducted.
HHS has been somewhat cagey about how these audits will be used. For the most part, the goal is to identify compliance trends and areas where future guidance would be helpful. For all in the health care industry, this guidance presumably would be useful. HHS, frankly, has given surprisingly little guidance in recent years about any aspect of the privacy or security rules. If these audits can lead to specific advice about areas for additional attention, the health care industry, its business partners, and health care consumers all will benefit. If, however, this guidance rewrites the rules without the need for rulemaking procedures (as HHS could be accused of doing in connection with the proposed HIPAA Accounting of Disclosures Rule, see “The HIPAA Accounting NPRM and the Future of Health Care Privacy,” BNA’s Privacy & Security Law Report (10 PVLR 1007, 7/11/11), then this guidance, while still useful, may create its own problems or otherwise create nervousness and frustration.
Moreover, covered entities clearly will be concerned about the impact of these audits on their own compliance risks. The audits are supposed to be random—although there is no clear statement that the audits won’t also have a risk factor based on complaints or other history or particular targeted areas for attention. In addition, the burden of the audit procedure likely will be significant. To start, there is a 10-day turnaround for what is expected to be a significant set of document requests. Then, HHS auditors will be on-site for “3-10 days,” which brings with it a related set of burdens…
