January 2017
Polsinelli Prepares for the Coming HIPAA Storm with Another OCR Hire

Over the past several months, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has ramped up its activity and enforcement efforts. Phase 2 audits are underway, and OCR recently announced that it sent desk audit document requests to 48 business associates (in addition to the 167 covered entities that received document requests a few months prior). We understand that, at the end of 2016, some providers who were not subject to a desk audit received notice of an on-site audit, and an OCR Senior Advisor confirmed that OCR will be conducting on-site audits of hospitals in 2017.

But, OCR is not just focused on the audit program. In August 2016, OCR announced that it was going to begin investigating breaches affecting under 500 individuals ("Under 500 Breaches"). Historically, OCR had not investigated Under 500 Breaches as a matter of course – but, as Bob Dylan once wrote, “Times They Are A Changing.” As part of this new initiative, we understand that each of OCR's regional offices has been instructed to investigate a certain number of Under 500 Breaches, and it appears those investigations have begun. Over the past month, some of our clients received data requests about Under 500 Breaches they reported in 2015, and OCR seems to be using these investigations to perform "compliance checks” – delving into HIPAA compliance areas unrelated to the areas/issues that caused or relate to the Under 500 Breaches that triggered the review. According to OCR, when determining whether to investigate Under 500 Breaches, it may consider the number of individuals affected by the breach; the amount and type of protected health information (PHI) involved; breaches caused by theft or improper disposal of PHI; hacking incidents; or entities that have filed numerous Under 500 Breaches involving the same types of issues. Thus, we believe any entity that reported Under 500 Breaches that fit or highlight these focus areas should be prepared for an OCR compliance review.

To see the full alert, please click here.

To learn more about our Health Care practice, click here.