The largest federal health privacy audit initiative since HIPAA took effect is now in progress, and at least 200 organizations should expect an audit questionnaire or an on-site visit from the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services. But states, under the Final Omnibus Rule revision to HIPAA in 2013, can pursue HIPAA violation proceedings where OCR has declined to move forward, and many have done so. Connecticut has made its concerns in health privacy clear by example.
Connecticut has been particularly aggressive, as reported on April 18, 2016 in Hartford Business. The office of Connecticut Attorney General Jepsen has brought HIPAA proceedings that have resulted in over $200,000 in settlements from healthcare providers, health plans and Business Associates (contractors). “Protected health information is perhaps the most sensitive of personal information, and consumers are right to expect that it be safeguarded,” Jepsen said during an interview in the article. The publication also notes that the Attorney General characterized his enforcement approach as “aggressive.”
Other states have pursued remedies for HIPAA violations and Connecticut will serve as an example for those that have not yet begun. Healthcare organizations and those who work with them and use patient-identifiable information to fulfill their tasks should take the opportunity to review and update policies and procedures to comport with privacy and security regulations. If the organization hasn’t updated its protocols since moving to an electronic patient information system, or since updating the system, Connecticut’s actions should serve as a warning to do so now – before the attorney general of the organization’s state comes calling.
If you have questions regarding HIPAA compliance, electronic patient information management or HIPAA audit readiness, please call Kenneth N. Rashbaum.