When the Privacy Cops Call
The Department of Health and Human Services Office for Civil Rights reviews all reports of breaches of protected health information affecting more than 500 individuals, says David Holtzman, a health information privacy specialist at OCR.
The Department of Health and Human Services’ Office for Civil Rights reviews all reports of breaches of protected health information affecting more than 500 individuals, says David Holtzman, a health information privacy specialist at OCR.
At the Safeguarding Health Information conference in Washington, Holtzman outlined several issues that organizations that have experienced a large breach should be prepared to respond to. They include a determination of the root cause of the breach, identification of gaps in compliance with HIPAA privacy and security rules that led to the breach, and evidence that the root cause has been addressed to ensure further breaches do not occur.
OCR investigations into violations of the HIPAA privacy rule have brought corrective changes to more than 10,000 organizations, Holtzman says. In the past year, the office also became the enforcer of the HIPAA security rule and the breach notification rule.
Under the HITECH Act, penalties for privacy and security rule violations have been significantly enhanced particularly for incidents resulting from “willful neglect” to comply with the rules--up to $50,000 per violation with an annual cap of $1.5 million for all identical violations.
Asked if OCR would like to see the lack of password protection and encryption as presumptive evidence of willful neglect, Holtzman replied that the issue would be addressed in forthcoming rules. He declined to directly answer a question about whether OCR will randomly audit organizations for privacy and security rule compliance. He did say that the Department of Health and Human Services has been given the authority to conduct audits and is currently developing a plan to implement an audit program.
--Joseph Goedert
At the Safeguarding Health Information conference in Washington, Holtzman outlined several issues that organizations that have experienced a large breach should be prepared to respond to. They include a determination of the root cause of the breach, identification of gaps in compliance with HIPAA privacy and security rules that led to the breach, and evidence that the root cause has been addressed to ensure further breaches do not occur.
OCR investigations into violations of the HIPAA privacy rule have brought corrective changes to more than 10,000 organizations, Holtzman says. In the past year, the office also became the enforcer of the HIPAA security rule and the breach notification rule.
Under the HITECH Act, penalties for privacy and security rule violations have been significantly enhanced particularly for incidents resulting from “willful neglect” to comply with the rules--up to $50,000 per violation with an annual cap of $1.5 million for all identical violations.
Asked if OCR would like to see the lack of password protection and encryption as presumptive evidence of willful neglect, Holtzman replied that the issue would be addressed in forthcoming rules. He declined to directly answer a question about whether OCR will randomly audit organizations for privacy and security rule compliance. He did say that the Department of Health and Human Services has been given the authority to conduct audits and is currently developing a plan to implement an audit program.
--Joseph Goedert
More for you
Loading data for hdm_tax_topic #reducing-cost...