The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
Covered Entities need to continue to check their inboxes for emails from the HHS Office for Civil Rights (“OCR”) requesting verification of contact information in connection with Phase 2 of the HIPAA Audit Program. OCR previously indicated that Covered Entities would begin to receive verification emails in May. We understand that Covered Entities continue to receive emails requesting contact information verification this week.
Emails are sent from OSOCRAudit@hhs.gov and request a response from the entity verifying its information within five days. A sample copy of the email is available from OCR’s website. The receipt of an email requesting contact verification does not necessarily mean that an entity will ultimately be selected for an audit. Covered Entities can begin to prepare for the next step in the audit process by reviewing OCR’s audit pre-screening questionnaire.
For the time being, Business Associates are not being contacted. OCR will request a list of Business Associates from Covered Entities and plans to begin contacting Business Associates selected for audit this summer. Business Associates should use this extra time to ensure that they are ready for an audit should they be selected. OCR has provided a sample template for Covered Entities to use to list their Business Associates.
For further information on the Phase 2 Audits, please see our prior posts detailing the Phase 2 Audit program and discussing the audit protocol and other audit-related materials from OCR. In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.