[firm] blog logo

Additional HIPAA Compliance Guidance Issued

The OCR recently issued three guidance documents in response to questions received from covered entities currently under audit: (1) a list of all Q&As received from audited entities; (2) a table showing the documents OCR requested for each audit protocol and the Q&As associated with that audit protocol; and (3) slides from an OCR webinar for audited entities. The OCR is currently auditing covered entities, such as employer-sponsored group health plans, for compliance with HIPAA’s privacy and security rules. This new guidance should be helpful to plan sponsors, as well as to HIPAA Privacy and Security Officials, in their ongoing HIPAA compliance efforts. View the?áthree guidance documents.

Largest Single-Entity Settlement to Date Due to HIPAA Non-Compliance

The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥), Office for Civil Rights (?Ç£OCR?Ç¥), recently entered into a $5.55 million settlement agreement with Advocate Health Care Network and its subsidiaries (?Ç£Advocate?Ç¥) to resolve multiple potential violations of HIPAA involving electronic protected health information (?Ç£EPHI?Ç¥). The settlement results from OCR?ÇÖs investigation of Advocate which began in 2013 after Advocate submitted three breach notification reports to OCR within a three-month timespan. The reported breaches involved (1) the theft from one of Advocate?ÇÖs support centers of four desktop computers containing unsecured EPHI of nearly four million individuals, (2) unauthorized access of unsecured EPHI from the computer network of Advocate?ÇÖs business associate (?Ç£BA?Ç¥), and (3) the theft of a laptop containing unsecured EPHI from an Advocate workforce member?ÇÖs vehicle. Upon its investigation, OCR determined that Advocate failed to (a) conduct an accurate and thorough risk analysis related to its utilization of EPHI, (b) implement… Continue Reading

August 2016