Responding to a Department of Health and Human Services Office of Inspector General (OIG) report recommending stronger oversight of covered entities’ compliance with the HIPAA Privacy Rule, the Office for Civil Rights (OCR) stated that in early 2016 it will launch Phase 2 of its audit program measuring compliance with HIPAA’s privacy, security and breach notification requirements by covered entities and business associates.

After conducting a study to assess OCR’s oversight of covered entities’ compliance with the HIPAA Privacy Rule, OIG issued a report finding that OCR should strengthen its oversight of covered entities and making several recommendations. Specifically, OIG recommended that OCR:

  1. fully implement a permanent audit program;
  2. maintain complete documentation of corrective action;
  3. develop an efficient method in its case-tracking system to search for and track covered entities;
  4. develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and
  5. continue to expand outreach and education efforts to covered entities.

OCR concurred with each of OIG’s recommendations. In its response to the report, OCR stated it is moving forward with a permanent audit program and will launch Phase 2 of that program in early 2016. The program will target common areas of noncompliance and will include business associates as well as covered entities. Phase 2 “will test the efficacy of the combination of desk reviews of policies as well as on-site reviews.” Accordingly, both covered entities and business associates should be reviewing their HIPAA policies and practices and developing a plan for working with OCR in on-site reviews.

OCR also indicated it is working on improving its ability to document and track corrective actions taken by covered entities and business associates in response to an OCR investigation. In addition, OCR revealed that it now has the ability to search for and track covered entities’ compliance history. OCR will now require investigators to check for prior investigations at the outset of new investigations of covered entities and business associates. This may mean a greater likelihood of on-site visits if a covered entity’s history indicates a potential for systemic compliance issues.

Finally, OCR agreed with OIG’s recommendation that it should continue to expand its outreach and education efforts. Information about those efforts can be found in Appendix C to OIG’s report.

As we previously reported, having the right documents in place can go a long way toward helping an organization survive an OCR HIPAA audit. Now that it is clear that these audits are coming early next year, it is important that covered entities and business associates invest the time in identifying and closing any HIPAA compliance gaps before an OCR investigator does this for them.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters…

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters, he regularly counsels clients on the practice of positive employee relations, negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Mr. Bertoncini’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He regularly reviews and develops policies and procedures, written information security plans and integrated compliance programs to assist clients in meeting their obligations under privacy and data security laws. Mr. Bertoncini has represented clients in investigations of alleged data breaches and advises them on their reporting obligations in the event of a data breach. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.

Before joining Jackson Lewis, Mr. Bertoncini was Deputy General Counsel for a hospital system that is the largest fully integrated community care organization in New England. He was responsible for all of the system’s labor and employment law matters, and was involved in its acquisition by a private equity firm as well as its growth from six to ten hospitals in a twelve-month period. His three years as in-house counsel for this large health care system give Mr. Bertoncini a keen understanding of the impact of labor and employment law issues on clients’ business operations.

In addition to his labor relations and privacy experience, Mr. Bertoncini has extensive experience in conducting internal investigations and counseling clients on whistleblower and retaliation matters, as well as negotiating executive agreements, both employment and separation agreements. Mr. Bertoncini also represents clients in the litigation of employment matters. His litigation experience includes matters before federal and state courts and administrative agencies. He has appeared before United States Courts of Appeals and District Courts, Massachusetts and New York state courts, the Equal Employment Opportunity Commission, and the Massachusetts Commission Against Discrimination.

Mr. Bertoncini is a frequent speaker and trainer on labor and employment law topics for various organizations including Massachusetts Continuing Legal Education, Council on Education in Management, Lorman Education Services, the Boston Bar Association, and several chambers of commerce.

While attending Boston College, he received the John A. McCarthy, SJ Award for the most distinguished Scholar of the College thesis.