OCR Issues ICR on HIPAA Audit Program
The Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) and oversees health information privacy in the Department of Health and Human Services (HHS). The OCR is now seeking comments and input on the agency’s HIPAA audit process. In an Information Collection Request (ICR) notice published in the Federal Register on May 30, 2013, the agency will be collecting input on the 115 Covered Entities (health plans, clearinghouses and providers) that were audited in 2012 by OCR. Deadline for submitting comments is July 1, 2013.
The ICR looks to collect information on how effective these audits are and is soliciting opinions on the audit process itself including:
- Measure the effect of the HIPAA Audit program on covered entities
- Gauge their attitudes towards the audit overall and in regards to major audit program features, such as the document request, communications received, the on-site visit, the audit-report findings and recommendations
- Obtain estimates of costs incurred by covered entities, in time and money, spent responding to audit-related requests
- Seek feedback on the effect of the HIPAA Audit program on the day-to-day business operations
- Assess whether improvements in HIPAA compliance were achieved as a result of the Audit program
The information, opinions, and comments collected will be used to produce recommendations for improving the HIPAA Audit program. To date, the OCR has collected $15.3 million in HIPAA violations and settlements, the most recent involving a settlement with Idaho State University (ISU) for a $ 400,000 HIPAA penalty, The penalty was incurred because a firewall failed at a University health clinic, resulting in a breach of 17,500 patient records that was not detected for more than 10 months.
The HIPAA Omnibus passed in January by HHS and effective as of March 25, 2013 strengthens protection of patient information in a digital environment. It is important to note that in the case of Idaho State University and a failed firewall, firewalls are not even mentioned in HIPAA. According to HIPAA security expert Mike Semel “ISU paid a $ 400,000 HIPAA penalty because one of theirs failed. How can you penalize someone for violating a rule that doesn’t exist? In fact, the rule does exist. Even without mentioning firewalls or other specific technologies, HIPAA requires that ePHI be protected from loss or unauthorized access, and that endpoints be protected from malicious software. Information System Activity Reviews need to occur regularly to identify who is accessing patient data. Guidance from the National Institute of Standards and Technology (NIST) includes information about protecting networks and specifically mentions firewalls.”