Ramped Up HIPAA Enforcement: A Government Myth or Reality?

Jay Hodes
Jay Hodes

Guest post by Jay Hodes, president, Colington Consulting.

A little more than a year ago the former Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), Leon Rodriquez, referred to covered entities that did not realize they have business associate relationships in place. He went on to say that some business associates did not know that they were actually business associates. Rodriquez stressed it was both the responsibility of the covered entity and the business associate to understand this relationship does exist.

Regarding ramped up HIPAA enforcement and compliance, Rodriquez indicated future audits will be narrower in scope and include more organizations than ever before. Covered entities and their business associates also will be audited under the new permanent program, and audits will focus on vulnerabilities that could change year to year as new issues arise.  This appeared to be the start of an intended awareness program and fair warning.

With Rodriquez’s departure to Homeland Security in June, it seemed like the task of continuing the drum beat message of ramped up HIPAA enforcement fell to Linda Sanches.

Sanches is OCR’s senior health information privacy advisor. In that position, she oversees the HIPAA security and breach notifications audit program and may know a thing or two about the direction OCR wants to take with future audits. Sanches recently spoke at the Health Information and Management Systems Society (HIMSS) Privacy and Security Forum. However, she did not provide any striking revelations or critical insights about these new audits, just more of what the industry seems to know already, that these audits are coming.

Much like Rodriquez did in the past, Sanches spoke more in generalities than specifics. She indicated OCR was looking at a broader view of the entire healthcare industry as possible criteria for selection of who would be targeted for an audit. Using the National Provider Identifier (NPI) database is a method being considered to select entities like hospitals, practices and dental providers for audits.

Continue Reading