HIPAA By The Numbers

Culled from recent law firm updates on JD Supra, here’s a look at the Health Insurance Portability and Accountability Act by the numbers:

150: The number of HIPAA audits of covered entities and their business associates that the Office of Civil Rights has hired KPMG to do before December 31, 2012. 

  • HIPAA Audits Are Coming: KPMG Contracted to Perform 150 Audits Through 2012 (Ober | Kaler):

    “You can’t run and you can’t hide — HIPAA audits are coming. HHS, through the Office of Civil Rights (OCR) recently named KPMG as the recipient of a $9.2 million contract to develop a HIPAA auditing protocol and conduct audits on 150 covered entities and business associates before December 31, 2012. An additional $180,000 contract has been awarded to Booze Allen Hamilton for “OCR HIPAA Audit Candidate Identification.” If they identify you, are you prepared?” Read more»

5010: As in 5010 Transaction Standards. The Centers for Medicare & Medicaid Services have organized “National 5010 Testing Days” to test compliance efforts already underway.

  • HIPAA – National 5010 Testing Days are Underway (Ober | Kaler):

    “As part of the upcoming transition to the 5010 transaction standards (which will replace the existing version of the X-12 standards for all HIPAA covered entities) CMS has organized ‘National 5010 Testing Days.’ CMS has explained that the testing days will encourage collaboration between providers and the Medicare Administrative Contractors (MACs) by allowing providers to ‘to come together and test compliance efforts that are already underway with the added benefit of real-time help desk support and direct and immediate access to MACs.’” Read more»

9,158: The number of HHS Office of Civil Rights HIPAA-related incidents in 2010 (nearly double that of 2004, the first full year for which HHS OCR has published data), which resulted in 4,229 investigations and 2,703 corrective actions:

  • Corrective Action Plans Can Mean Significant Compliance Monitoring Requirements (Ober | Kaler):

    “In the wake of HHS’s contract with KPMG to perform 150 HIPAA compliance audits in 2011 and 2012, it is clear that the government is moving into a phase of active and aggressive enforcement, which will mean an uptick in the number and types of providers that face HHS OCR investigations and possible penalties. Providers concerned about these investigations should develop a better understanding of the tools that HHS Office of Civil Rights (OCR) has used to resolve major noncompliance with the Privacy and Security Rules: Resolution Agreements and Corrective Action Plans (CAPs).” Read more»

$865,000: The amount UCLA Health System was fined for unauthorized access by its employees to electronic protected health information of UCLAHS patients.

  • UCLA Resolves Privacy and Security Rule Violations (Ober | Kaler):

    “Curious employees are getting expensive. In a July 6, 2011 Resolution Agreement and Corrective Action Plan (CAP) [PDF], the Regents of the University of California, on behalf of the University of California at Los Angeles Health System, agreed to pay $865,500 and enter a three-year compliance monitoring and reporting program (a “corrective action plan” or CAP) for a HIPAA violation.” Read more»

$4.3 million: Cignet’s civil monetary penalty for violating HIPAA’s Privacy Rule:


Follow Health Law Updates on: LinkedIn | Twitter | Facebook | JD Supra