Dive Brief:
- HHS' Office of Inspector General recently criticized the parent agency's Office for Civil Rights in that it said OCR has been passively waiting for complaints; fails to record small breaches; and fails to document corrective actions in 74% of health privacy violation cases analyzed, according to a presentation at the Intercompany Long Term Care Insurance Conference this week in San Antonio, Texas.
- HHS classifies insurers that handle protected health information as "covered entities" and agents and brokers who handle data as "business associates."
- For the first phase of 135 audits, OCR analyzed covered entities only. The upcoming "Phase 2" health privacy audits will most likely include business associates.
Dive Insight:
"Insurance agents who handle consumers' health information could face a wave of federal privacy audits in the next year or two," noted LifeHealthPro's Allison Bell.
The presenters at the meeting, Angela Hoteling-Rodriguez of MedAmerican Insurance Company and Stephen Serfass of Drinker Biddle Reath LLP, said HHS has increased the OCR budget to prepare for the "Phase 2" audits set to start early this year and has added 18 full-time staff positions.
LifeHealthPro reported privacy compliance experts predict OCR to conduct 200 desk audits and 24 on-site audits this year. These will include examining patients' access to EHRs and breach notification and protection of patient privacy rights, as noted by Serfass and Hoteling-Rodriguez.
OCR has doled out $30 million in privacy violation penalties on hospitals, medical practices, health insurers and others since 2008, but its first round of audits was focused on ways to help covered entities better protect health information.
The HITECH of 2009 expanded HIPAA privacy requirements and enlisted HHS to discover non-compliance.