Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
When it comes to HIPAA breaches, entity size does not matter. What matters is the Office for Civil Rights (OCR)’s oversight and compliance.
A couple of weeks ago, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) released dual reports - OCR Should Strengthen Its Oversight of Covered Entities’ Compliance With The HIPAA Privacyand OCR Should Strengthen Its Follow-up Of Breaches Of Patient Health Information Reported By Covered Entities. I plan on addressing some of the highlights of the reports and then will have tips for physicians, regardless of the size of the practice.
As the titles of the two aforementioned reports suggest, the OIG found deficiencies in OCR’s administration and oversight of compliance with the HIPAA Privacy Rules, as well as the need to strengthen its follow-up of reported breaches. While these two reports specifically highlighted covered entities, it is important to reemphasize that business associates and subcontractors are still susceptible to the same regulations and penalties.
Here are some of the key areas of the reports:
What does this mean for physicians? First, it is likely that OCR is going to ramp up investigations and, subsequently fines. Second, more complete documentation means quicker response time. Third, since the size of the entity does not matter, the compliance requirements, including a comprehensive risk assessment, adequate policies, and procedures and encryption are going to be even more crucial. In other words, being proactive instead of reactive can keep the entity off of HHS’ Wall of Shame.