Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.

The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate


Covered Entities need to continue to check their inboxes for emails from the HHS Office for Civil Rights (“OCR”) requesting verification of contact information in connection with Phase 2 of the HIPAA Audit Program. OCR previously indicated that Covered Entities would begin to receive verification emails in May.  We understand that Covered Entities continue to receive emails requesting contact information verification this week.

Emails are sent from and request a response from the entity verifying its information within five days.  A sample copy of the email is available from OCR’s website.  The receipt of an email requesting contact verification does not necessarily mean that an entity will ultimately be selected for an audit.  Covered Entities can begin to prepare for the next step in the audit process by reviewing OCR’s audit pre-screening questionnaire.

For the time being, Business Associates are not being contacted.  OCR will request a list of Business Associates from Covered Entities and plans to begin contacting Business Associates selected for audit this summer.  Business Associates should use this extra time to ensure that they are ready for an audit should they be selected.   OCR has provided a sample template for Covered Entities to use to list their Business Associates.

For further information on the Phase 2 Audits, please see our prior posts detailing the Phase 2 Audit program and discussing the audit protocol and other audit-related materials from OCR.  In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.


On March 21st, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR that will begin the audit process.

Why Audits? Why Now?

The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2.

What’s Happening This Time Around?

OCR will conduct both desk audit and on-site audits of Covered Entities and Business Associates. The first round of desk audits will be for Covered Entities with a second round for Business Associates. Desk audits are supposed to be completed by December 2016. Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal. Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report. A final report will be shared with the entity.

For those entities subject to on-site audits, auditors will spend between three and five days on-site with the organization. OCR describes the on-site audits as “more comprehensive” and “covering a wider range of requirements from the HIPAA Rules.” Since OCR recently released guidance on patient rights to access their health information and on the fees that providers may charge for such access (previously covered by our blog here), access issues appear ripe for a broader audit.

Finally, audits that uncover serious issues may trigger an OCR compliance review in addition to the audit. Continue Reading Ready or Not, It’s Time For Phase 2 HIPAA Audits

Earlier this week Mintz Levin’s Privacy & Security Matters blog posted some useful “bytes” to consider for the latest installment of the “Privacy Monday” series.

Of particular interest for those following health care privacy and security matters is the recent House Energy & Commerce Committee report revealing data breaches and vulnerabilities involving HHS. The Privacy and Security Matters blog post also provides some very practical privacy pointers and most importantly, an invite to our webinar discussion of vendor risk management and data protection on August 26 at 1PM ET.

Click here to get these handy end-of-summer bytes.

Written by: Rachel Irving Pitts

Earlier this week, my colleague Dianne Bourque commented on a small medical practice’s inability to access its patients’ medical records one July day after its EHR vendor blocked the practice from pulling the data stored in the EHR.  In the Boston Globe article, the EHR vendor compared the situation to an electric company turning off the power after months of nonpayment. As technology advances, we abandon “outdated” ways of doing things – our cordless phones won’t work when our power is shut off, and a doctor who has switched to an EHR can’t grab the paper chart off the stacks when its EHR shuts down. A main purpose of the push for providers to adopt EHR is to streamline patient care – a doctor at the hospital doesn’t have to wait for the primary care provider’s chart with the relevant medical history to be delivered or faxed, but just uploads the relevant data set with the patient’s history so they can diagnose and treat the patient.  But that all goes out the window if your EHR goes dark, and you can’t get to the records.  Continue Reading “Access Denied” – Understand How Your Electronic Health Records Are Controlled

Written by:  Stephanie D. Willis

The mobile app and wearables market in health care is booming, most recently evidenced by Apple’s entry into the market with its widely-anticipated “HealthKit,” a purportedly secure platform that allows mHealth apps to share user’s health and fitness data with the new Health app and with each other.  But mobile apps, particularly those used by health care organizations, can allow unauthorized access to patients’ Protected Health Information if not evaluated for security and privacy risks.   For guidance on how to address these risks,  click here to see our post at Privacy & Security Matters on the draft Technical Considerations for Vetting 3rd Party Mobile Applications (the Vetting Report) issued by National Institute of Standards and Technology (NIST) in August 2014.

NIST is seeking comments on the Vetting Report until September 18th, so there is still time for organizations contemplating a third party mobile app vetting process to inform NIST of any gaps that remain to be addressed in the Vetting Report.  Regardless, all organizations, especially those in the health care industry, that want to use mobile app technologies in their operations should use the Vetting Report and NIST’s other guidance publications, in conjunction with the advice of experienced health care privacy counsel, to develop their own privacy and security evaluation processes to help weed out the mobile apps that may create risks of security incidents and breaches.

Written by: Stephanie D. Willis and Dianne J. Bourque

Last week, the HHS Office of Civil Rights (OCR) released two reports required by the Health Information Technology for Economic and Clinical Health (HITECH) Act: (i) the Annual Report to Congress on Breaches of Unsecured Protected Information (Breach Report); and (ii) the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance (Compliance Report). In reviewing the Breach and Compliance Reports, Chief Information Officers, compliance and privacy officers, and information security professionals in the health care field should note five key lessons: Continue Reading Five Lessons from OCR’s Reports to Congress on Breaches and HIPAA Rules Compliance

Written by:  Stephanie D. Willis

The HHS Office of the National Coordinator (ONC) released its report “Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure” (the “Vision Plan”) last week to help refocus stakeholders on HHS’s goals for the use of health IT in the U.S. health care system.  Although the goals are largely aspirational, the Vision Plan nevertheless articulates the ONC’s expectations of the IT capabilities that patients, providers, and other health care stakeholders should be able to leverage to improve health care quality and lower costs by 2024.

The ONC’s approach to the next decade of health IT advancement follows a three-phase approach, using the three-, six-, and ten-year marks as milestones for achieving broadly-defined goals.  To better understand the ONC’s milestones for health IT infrastructure development and usage, it is helpful to visualize the phases as one would envision building a house from the ground up. Continue Reading The ONC’s Health IT Vision Plan: A Building Under Construction

Written By: Kimberly Gold

The HHS Office of Civil Rights (OCR) announced that the Health Information Technology (HIT) Policy Committee’s Privacy and Security Tiger Team will hold a virtual, public hearing on Monday, September 30 from 11:45 a.m. to 5:00 p.m. EDT to discuss approaches for providing patients with greater transparency about the uses and disclosures of their electronic protected health information (PHI).  The hearing is also intended to address the HIPAA Privacy Rule “accounting of disclosures” requirement.

Continue Reading Hearing to Address HIPAA Accounting of Disclosures

Written by: Dianne J. Bourque

In response to recent litigation as well as concerns from the health care industry and privacy advocates, the Office for Civil Rights (OCR) has published guidance regarding the scope of the refill reminder exception under the HIPAA Omnibus Rule. Specifically, OCR has made clear that third party providers of refill reminder services may be paid “fair market value” for their services.


The HIPAA Privacy Rule, as modified by the HIPAA Omnibus Rule, generally requires individuals to authorize uses or disclosures of their protected health information for marketing purposes. For example, a pharmacy cannot compile a list of customers on high blood pressure medication in order to target products of interest to those customers. Often, however, targeted communications can be useful for patients, so HIPAA contains exceptions, such as an exception for refill reminders and other communications about a drug or biologic currently prescribed for the individual. When a third party – like a pharmaceutical company – pays for such a communication, the HIPAA Omnibus Rule requires that the payment be reasonably related to the cost of the communication, or the costs of labor, materials, postage and other out of pocket costs. This limitation caused concern for vendors of prescription refill reminder services who were left with the choice of either breaking even on their services or violating the law by making a profit. The payment limitation prompted a lawsuit by Adheris, Inc.challenging the scope of the HIPAA Omnibus Rule on a constitutional basis and seeking to enjoin its enforcement.

OCR’s Clarification

Through guidance and FAQs published today, OCR has made clear that permissible reasonable costs for a vendor’s provision of refill reminder or other adherence communications includes the fair market value of the service. Note, however, that subsidized marketing communications made by a pharmacy or health care provider directly are still limited to the actual costs of making the communication. Regulated entities of all kinds should review the guidance and related FAQs and structure their outreach programs accordingly.