- The 13-month timespan in which the privacy and security program created by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for healthcare providers is nearing an end. December 2012 marks the end of the program that began in November 2011, as OCR picked 115 healthcare organizations to undergo privacy, security and breach notification audits by large auditor KPMG. What healthcare organizations will want to pay attention to, however, is potential surprise audits for those that haven’t been visited yet.
While OCR said that it didn’t plan on penalizing these organizations unless there were egregious privacy and compliance issues, the sanctions would have been steep for these providers. The HITECH Act, as detailed by datacenterknowledge.com, has civil penalties for HIPAA violations that can reach $50,000 per violation and up to $1.5 million for identical violations across multiple records in a single calendar year.
OCR’s audits will transition from a relaxed pilot program to full-on enforcement in 2013, a fact that could take some organizations by surprise. Organizations will need to be prepared for a 169-item performance audit that concentrates on adherence to these three rules: the HIPAA Privacy Rule, Security Rule and Breach Notification Rule. Additionally, it won’t just be covered entities taking part in these audits in 2013, as “business associates” such as health information exchange (HIE) partners, data center operators and cloud computing providers that use electronic protected health information (ePHI) will now be subject to these checkups.
OCR won’t be as cordial with healthcare providers and business associates in 2013 and the article suggests that providers should produce an annual third-party independent report on HIPAA compliance. These tangible reports will serve as a solid baseline for proving to OCR that these providers are compliant.