The HHS Office for Civil Rights will start ramping up HIPAA privacy/security rule audits during 2014 and a session on February 24 at HIMSS14 will get into details on what providers need to know.

Susan McAndrew, deputy director for privacy in OCR, will walk through the rationale and components of the audit program.

James Wieland, a principal and HIPAA attorney at the Ober/Kaler law firm in Baltimore, then will discuss tricky areas within the revised HIPAA privacy, security and breach notification rules that became effective in 2013. He’ll discuss new policies for assessing a breach of protected health information and how to balance factors to decide if it is reportable, new liability issues with business associates and the need to monitor their compliance with HIPAA, and the scope of responsibility downstream to business associates and subcontractors when a patient requests that certain information not be disclosed, among other issues.

Wieland also will talk about legal traps that could cause unnecessary problems for covered entities, such as overly broad contract language that gives a covered entity more control over a business associate than it really needs to have, which could expose the covered entity to an unnecessary level of liability. Lawyers, he explains, want to control everything a business associate does. But business associates will be judged on the extent that a covered entity can control its activities. If a covered entity doesn’t have the knowledge and duties of a business associate, then it shouldn’t put itself in position of being responsible for actions of the business associate.

Another tip Wieland will pass on is to arrange with a credit/ID protection agency--in advance of a breach--to offer such services after a breach occurs. The cost of credit insurance has fallen significantly and having the service already contracted shows an organization’s commitment to protect patients, he says. Plus, the cost is even lower when arranging services in advance.

For McAndrew and Wieland, the goal of the session is pretty simple, he says. “They’ll get some useful tools for managing HIPAA compliance.” Education session 18, “HIPAA Compliance: Stepping It Up in 2014,” is scheduled at 10 a.m. on Tuesday, Feb. 24.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access