Header graphic for print
HealtHITechLaw HIPAA, HITECH and Beyond

Tag Archives: Covered Entity

HHS HIPAA Security Risk Assessment Tool Now Available

Posted in Security

Many thanks once again to our colleague, Sylvia Brown, for her assistance in authoring this post. The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), recently released a security risk asessment tool (SRA Tool) to assist entities… Continue Reading

OCR TO BEGIN SECOND ROUND OF HIPAA AUDITS

Posted in Enforcement, OCR Audits

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has announced that it is gearing up for its second round of HIPAA compliance audits later this year.  The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act and is intended to assess compliance with the HIPAA Privacy, Security,… Continue Reading

OIG Report Criticizes HIPAA Oversight

Posted in OCR Audits, Security

The HHS Office of Civil Rights (“OCR”) has failed to comply with the HITECH Act’s mandate to audit HIPAA covered entities and business associates, according to a recent report published by the HHS Office of Inspector General (“OIG”). The OIG said that OCR “had not assessed the risks, established priorities, or implemented controls for its HITECH requirement… Continue Reading

OCR Issues Guidance on Refill Reminder Exception to HIPAA Marketing Rule

Posted in Enforcement, Rulemaking

Prompted by litigation filed by Adheris[1] as well as concerns raised by consumer advocates and health care stakeholders regarding the viability of prescription refill reminder programs under HIPAA’s stricter marketing prohibitions, on September 19, 2013, OCR issued additional guidance regarding the scope of HIPAA’s refill reminder exception.  Notably, OCR also delayed enforcement on this issue… Continue Reading

The Final Omnibus HIPAA Rule: Are You Ready?

Posted in Enforcement, Rulemaking

As we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules.  For those entities that have already taken steps following the release of the HITECH interim rules, the… Continue Reading

OCR Presents Preliminary HIPAA Audit Findings

Posted in Enforcement

OCR’s Audit Program, which began in December 2011, is part of HHS’ efforts under HITECH to assess HIPAA compliance by covered entities, identify best practices, and discover risks and vulnerabilities in protecting the privacy and security of PHI which may not have come to light through OCR’s complaint investigation and compliance reviews. OCR has repeatedly stated that… Continue Reading