HIPAA/HITECH Audits: OCR Program to Audit 150 Covered Entities

Today the Office for Civil Right (OCR) announced details of a pilot program to perform up to 150 audits of covered entities to assess privacy and security compliance under HIPAA. OCR will be conducting the audits between November 2011 and December 2012.

The days of waiting for HIPAA privacy and security enforcement activities are over. The announcement of these planned audits will get the attention of health care providers who have failed to focus on HIPAA privacy and security compliance efforts. The announcement will remind all health care providers to maintain an active, current HIPAA privacy and security compliance program.

OCR provides more detail on the audit program on the OCR HIPAA Audit Program page, including this description of the program objectives:

The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.

The OCR HIPAA Audit Program page also provides detail on when the audits will begin, who will be audited, how the audit process will work, and what will happen after the audit. The information indicates that they will select a broad range of covered entities for the first round of audits and that business associates will be included in future audits.

OCR provides the graphic below to help describe how the audits will be performed. Covered entities will be selected, notified, and asked to provide documentation of privacy and security compliance efforts within 10 business days. An onsite visit will occur and interviews will be performed. A draft report will be provided to the covered entity and there will be a procedure for the covered entity to discuss the areas of concern raised in the audit and describe any corrective action they may implement.



 The HIPAA audits are a requirement under the American Recovery and Reinvestment Act of 2009 (Section 13411). HHS awarded to KPMG a $9 million dollar contract earlier this year to assist OCR with the audits.

University of California Settles Potential HIPAA Privacy and Security Violations with OCR for $865,500

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that the University of California at Los Angeles Health System which includes UCLA Ronald Reagan Medical Center, UCLA Santa Monica Medical Center, and Orthopedic Hospital, Resnick Neuropsychiatric Hospital, and the Faculty Practice Group of UCLA (UCLAHS) has agreed to settle potential violations under the HIPAA Privacy and Security Rules for $865,500. Read the OCR press release.

The settlement highlights that hospitals, physicians, and other covered entities must understand the importance of monitoring the level of access workforce members have to medical and health information. Covered entities must have policies and procedures in place and educate workforce members about only accessing records for necessary and permissible purposes. This settlement resulted from an investigation by OCR after certain celebrity/VIP patients at the UCLA facilities complained that hospital staff, including unauthorized physicians, had inappropriately accessed their health and medical information.

UCLAHS agreed to a Corrective Action Plan for a period of three years under the terms of the Resolution Agreement. The Corrective Action Plan requires UCLAHS to review/update its current HIPAA policies and procedures, conduct follow up workforce training, monitor compliance and submit a monitoring plan, and submit an implementation report and annual reports to OCR. of can be found attached to the Resolution Agreement.

The Resolution Agreement described the events that occurred that lead to the settlement as follows:

On June 5, 2009 and June 30, 2009, HHS began investigations of two separate complaints alleging that the Covered Entity was in violation of the Privacy and/or Security Rules. The investigations indicated that the following conduct occurred (“Covered Conduct”):

(i) During the period from August 31, 2005 to November 16, 2005, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of Covered Entity patients, and during the period from January 31, 2008 to February 2, 2008, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of a Covered Entity patient.

(ii) During the period 2005-2008, a workforce member of Covered Entity employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the electronic protected health information of many patients.

(iii) During the period 2005-2008, Covered Entity did not provide and/or did not document the provision of necessary and appropriate Privacy and/or Security Rule training for all members of its workforce to carry out their function within the Covered Entity.

(iv) During the period 2005-2008, Covered Entity failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined electronic protected health information.

(v) During the period from 2005-2009, Covered Entity failed to implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.

 More information and background can be found in the iHealthBeat article, UCLA Health System Agrees to Pay $865K over Privacy Breaches, including a link to a statement on the settlement issued by UCLH Health System.

4th Circuit Affirms Withholding of WV Medicaid Funds

Today the United States Court of Appeals for the 4th Circuit affirmed a ruling by the district court in West Virginia which sustained a disallowance of federal funding by the Centers for Medicare & Medicaid Services (CMS) against the West Virginia Medicaid Program.

The 4th Circuit Decision in West Virginia Department of Health and Human Resources, Bureau for Medical Services vs. Kathleen Sebelius, et al. ruled that CMS acted within its authority when it withheld from the West Virginia Department of Health and Human Resources, Bureau of Medical Services, West Virginia'a Medicaid Program (DHHR) approximately $634,000 (which was reduced to approximately $446,000)in Medicaid funding, which represented it share of overpayment made to providers as a result of Dey, Inc., a pharmaceutical company, alleged fraud. CMS notified DHHR of the disallowance after Dey entered into an $850,000 settlement of claims brought by the West Virginia Attorney General on behalf of West Virginia under West Virginia's Consumer Credit and Protection Act.

The disallowance by CMS was calculated by multiplying the state's estimated damages allocable to Medicaid, approximately 67% by the settlement amount adn then multiplied this figure by West Virginia's FMAP rate of 78.14% to arrive at the $446,000 amount. The HHS Department of Appeals Board concluded that this allocation methodology was reasonable.

I have only done an initial review of the decision and won't go into the merits of the arguments at this time. Read the full decision for a more complete understanding of the decision and check out today's article in the Charleston Daily Mail.