OCR Publishes HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol

July 9, 2012.  Late in June, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published its HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol.  Here is OCR’s description of the program, which outlines 77 audit procedures for the HIPAA Security Rule and 88 audit procedures for the HIPAA Privacy and HITECH Act Breach Notification Rules: “The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate.  OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits.  The entire audit protocol is organized around modules, representing separate…

READ MORE

OCR Penalizes Physician Practice for HIPAA Privacy and Security Rule Violations

April 18, 2012.  Late last week, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) executed a Resolution Agreement and included Corrective Action Plan (Appendix A) as a settlement for violations of HIPAA Privacy and Security Rules by a physician practice, Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ. In its April 17, 2012, News Release, HHS stated: “The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and…

READ MORE

OCR Issues Draft Guidance on Security Risk Analysis

The Office for Civil Rights (OCR) of the Department of Health and Human Services  (HHS) issued on May 7, 2010, Security Rule Draft Guidance on Risk Analysis. This is the first in a “series of guidance documents [that] will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.  The materials will be updated annually, as appropriate.” This eight-page document is available online. The Draft Guidance on Risk makes the following key points: “The Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the…

READ MORE