Culled from recent law firm updates on JD Supra, here’s a look at the Health Insurance Portability and Accountability Act by the numbers:
150: The number of HIPAA audits of covered entities and their business associates that the Office of Civil Rights has hired KPMG to do before December 31, 2012.
- HIPAA Audits Are Coming: KPMG Contracted to Perform 150 Audits Through 2012 (Ober | Kaler):
“You can’t run and you can’t hide — HIPAA audits are coming. HHS, through the Office of Civil Rights (OCR) recently named KPMG as the recipient of a $9.2 million contract to develop a HIPAA auditing protocol and conduct audits on 150 covered entities and business associates before December 31, 2012. An additional $180,000 contract has been awarded to Booze Allen Hamilton for “OCR HIPAA Audit Candidate Identification.” If they identify you, are you prepared?” Read more»
5010: As in 5010 Transaction Standards. The Centers for Medicare & Medicaid Services have organized “National 5010 Testing Days” to test compliance efforts already underway.
- HIPAA – National 5010 Testing Days are Underway (Ober | Kaler):
“As part of the upcoming transition to the 5010 transaction standards (which will replace the existing version of the X-12 standards for all HIPAA covered entities) CMS has organized ‘National 5010 Testing Days.’ CMS has explained that the testing days will encourage collaboration between providers and the Medicare Administrative Contractors (MACs) by allowing providers to ‘to come together and test compliance efforts that are already underway with the added benefit of real-time help desk support and direct and immediate access to MACs.’” Read more»
9,158: The number of HHS Office of Civil Rights HIPAA-related incidents in 2010 (nearly double that of 2004, the first full year for which HHS OCR has published data), which resulted in 4,229 investigations and 2,703 corrective actions:
- Corrective Action Plans Can Mean Significant Compliance Monitoring Requirements (Ober | Kaler):
“In the wake of HHS’s contract with KPMG to perform 150 HIPAA compliance audits in 2011 and 2012, it is clear that the government is moving into a phase of active and aggressive enforcement, which will mean an uptick in the number and types of providers that face HHS OCR investigations and possible penalties. Providers concerned about these investigations should develop a better understanding of the tools that HHS Office of Civil Rights (OCR) has used to resolve major noncompliance with the Privacy and Security Rules: Resolution Agreements and Corrective Action Plans (CAPs).” Read more»
$865,000: The amount UCLA Health System was fined for unauthorized access by its employees to electronic protected health information of UCLAHS patients.
- HIPAA Enforcement Against UCLA and New Rule Proposal Bring Scrutiny to Workforce Access to Health Information (Poyner Spruill LLP):
“OCR’s enforcement action against UCLAHS followed an extended period in which employees allegedly repeatedly accessed ePHI of many patients, including several celebrity patients, when they did not have any job-related need to access the data. OCR’s investigation of this potential HIPAA violation led to the identification of multiple alleged deficiencies by UCLAHS under the Privacy and Security Rules.” Read more»
- UCLA Resolves Privacy and Security Rule Violations (Ober | Kaler):
“Curious employees are getting expensive. In a July 6, 2011 Resolution Agreement and Corrective Action Plan (CAP) [PDF], the Regents of the University of California, on behalf of the University of California at Los Angeles Health System, agreed to pay $865,500 and enter a three-year compliance monitoring and reporting program (a “corrective action plan” or CAP) for a HIPAA violation.” Read more»
- Proposed HIPAA Reporting Requirement May Lead to Increased Compliance Costs and Enforcement Action (Poyner Spruill LLP):
“On May 31, 2011, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) that would allow individuals to obtain an “access report” from HIPAA covered entities reporting virtually every instance of access to their electronic protected health information (ePHI), including all access by individual employees.” Read more»
$4.3 million: Cignet’s civil monetary penalty for violating HIPAA’s Privacy Rule:
- SZD Health Law Strategist: Vigorous HIPAA Privacy Rule enforcement; Impact of Sunshine Law on physicians (Schottenstein Zox & Dunn Co., LPA):
“With the announcements of Cignet’s $4.3 million civil monetary penalties and two recent resolution payments, HHS’ Office of Civil Rights sent a clear message that it is serious about enforcement of HIPAA’s Privacy Rule.” Read more»