On July 12, 2016, HHS’s Office for Civil Rights (OCR) distributed an e-mail discussing recent developments in Phase II of its HIPAA audit program.

For those looking to catch up on the Phase II audits, we provided readers with an overview of the audits back in March. In April, we discussed the HIPAA Audit Protocol that OCR is using to conduct the Phase II audits.  And in May, we alerted readers to the notifications that OCR was e-mailing to covered entities in an effort to verify their contact information.

In its latest e-mail, OCR confirms that notification letters were delivered on Monday, July 11, 2016, to 167 health plans, health care providers and health care clearinghouses notifying them of their inclusion in the desk audit portion of the audit program. The desk audits will examine the selected entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules by examining certain documentation that the entities are required to maintain under HIPAA. OCR provides the following table setting forth the subject matter of the documentation review:

HIPAA Desk AuditNotably, the three areas covered under the Privacy Rule relate to how patients are made aware of their rights under HIPAA and how they can access their own medical records.  The desk audit does not focus on policies related to uses and disclosure of PHI.  This emphasis dovetails with OCR recent efforts to educate patients and providers about patient access rights (which we previously covered here).

Entities have 10 business days, until July 22, 2016, to respond to the document requests.

OCR separately notes that desk audits of business associates will be occurring this fall. We will continue to follow developments in the Phase II audit program and bring you updates and analysis as they occurs.

Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the release of three YouTube videos and an infographic on individuals’ rights to access health information. In contrast to guidance on the same topic published earlier this year, these videos are specifically geared toward consumers in an effort to increase individuals’ understanding of their rights under HIPAA. Each video focuses on a specific topic: the basics of an individual’s access rights; the fees that may be charges for such access; and the rights of third parties to access an individual’s health information. The infographic also provides an overview of these rights.

OCR explained that consumers’ understanding of their basic access rights is important in helping patients take more control over their healthcare decisions. OCR also noted that individuals who access their health information are more equipped to follow treatment plans, discover errors in their medical records, and share their information for research purposes. Even though this new guidance was developed for consumers, OCR’s repeated recent dissemination of information on this issue demonstrates its dedication to individual access rights.  Healthcare entities must ensure that they have the proper policies, procedures, and training to comply.

Separately, in security-related news, OCR issued a warning on June 7 regarding vulnerabilities in third-party applications. While Covered Entities and Business Associates are more cognizant of vulnerabilities in operating systems and install updates and patches as needed, OCR reported that companies are less likely to do the same for third-party applications. To beef up security in these applications, OCR suggests that Covered Entities and Business Associates should:

  1.  test third-party applications for security vulnerabilities prior to installation and on a regular basis afterward;
  2. install patches or updates to the software continuously; and
  3. carefully review end user license agreements to understand security risks in the applications.

It is no secret that the Health Insurance Portability and Accountability Act (HIPAA) is a trap for the unwary. A recent study by the non-profit ProPublica has uncovered that the online review site Yelp (as well as other rating sites) are making it easier for covered entities to be ensnared.  With the cooperation of Yelp and the use of analytical tools developed by NYU, ProPublica analyzed over 1.7 million Yelp reviews and identified over 3,500 one-star reviews in which patients mention privacy or HIPAA. ProPublica found that in dozens of instances, responses to patient complaints about care spiraled into disputes over patient privacy.

In one example, a chiropractor in California replied to a mother’s claim that he misdiagnosed her daughter with scoliosis, stating in his reply to her one star review that “You brought your daughter in for the exam in early March 2014…The exam identified one or more of the signs I mentioned above for scoliosis. I absolutely recommended an x-ray to determine if this condition existed; this x-ray was at no additional cost to you.” HIPAA applies to covered entities, business associates and healthcare clearinghouses, and protects information that those entities maintain that is related to an individual’s past, present or future health condition provided that there is a reasonable basis to believe the information can be used to identify the individual.  Since Yelp reviews display the reviewer’s first name and the initial of their last name, it is reasonable to believe that the information in the chiropractor’s reply, which includes a discussion of a potential medical condition, could be used to identify the mother and in turn the daughter. (For purposes of HIPAA, it is irrelevant that the mother’s initial review already identified herself and her daughter.) A violation is even more likely when the response pertains to the reviewer and not a family member. Continue Reading Study Finds Widespread HIPAA Violations Occurring on Yelp


Covered Entities need to continue to check their inboxes for emails from the HHS Office for Civil Rights (“OCR”) requesting verification of contact information in connection with Phase 2 of the HIPAA Audit Program. OCR previously indicated that Covered Entities would begin to receive verification emails in May.  We understand that Covered Entities continue to receive emails requesting contact information verification this week.

Emails are sent from OSOCRAudit@hhs.gov and request a response from the entity verifying its information within five days.  A sample copy of the email is available from OCR’s website.  The receipt of an email requesting contact verification does not necessarily mean that an entity will ultimately be selected for an audit.  Covered Entities can begin to prepare for the next step in the audit process by reviewing OCR’s audit pre-screening questionnaire.

For the time being, Business Associates are not being contacted.  OCR will request a list of Business Associates from Covered Entities and plans to begin contacting Business Associates selected for audit this summer.  Business Associates should use this extra time to ensure that they are ready for an audit should they be selected.   OCR has provided a sample template for Covered Entities to use to list their Business Associates.

For further information on the Phase 2 Audits, please see our prior posts detailing the Phase 2 Audit program and discussing the audit protocol and other audit-related materials from OCR.  In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.


Earlier this month the Department of Health and Human Services Office for Civil Rights (OCR) released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.

The protocol covers the following subject areas:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Breach Notification Rule requirements.

Continue Reading OCR Releases New HIPAA Audit Protocol and Other Audit-Related Materials

On March 21st, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR that will begin the audit process.

Why Audits? Why Now?

The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2.

What’s Happening This Time Around?

OCR will conduct both desk audit and on-site audits of Covered Entities and Business Associates. The first round of desk audits will be for Covered Entities with a second round for Business Associates. Desk audits are supposed to be completed by December 2016. Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal. Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report. A final report will be shared with the entity.

For those entities subject to on-site audits, auditors will spend between three and five days on-site with the organization. OCR describes the on-site audits as “more comprehensive” and “covering a wider range of requirements from the HIPAA Rules.” Since OCR recently released guidance on patient rights to access their health information and on the fees that providers may charge for such access (previously covered by our blog here), access issues appear ripe for a broader audit.

Finally, audits that uncover serious issues may trigger an OCR compliance review in addition to the audit. Continue Reading Ready or Not, It’s Time For Phase 2 HIPAA Audits

As we have repeatedly emphasized on this blog, HIPAA Covered Entities must ensure that they have compliant business associate agreements (“BAAs”) in place with all of their business associates and must ensure that they have performed a comprehensive risk assessment. A $1.55 million settlement between North Memorial Health Care of Minnesota (“NMHC”) and the Office for Civil Rights (“OCR”) announced this week emphasizes the seriousness of these requirements.

NMHC came under investigation by OCR after a September 2011 breach involving the theft of an unencrypted laptop from a business associate’s employee’s car. The laptop contained the electronic protected health information of nearly 10,000 individuals. The investigation uncovered that NMHC had not entered into a BAA with the business associate, Accretive Health, when it engaged Accretive in March 2011 and did not enter into a BAA until October 2011. During this interim period, Accretive had access to the protected health information of more than 250,000 individuals. Additionally, OCR found that NMHC had not conducted an accurate and thorough enterprise-wide risk analysis. Continue Reading Don’t Neglect Your Business Associate Agreements!

Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home health care provider announced yesterday, we can now add to that list the fact that PHI should not be stored under an employee’s bed or in a kitchen drawer.

Yesterday OCR announced a January 13, 2016 decision by an HHS Administrative Law Judge (“ALJ”) upholding the imposition of $239,800 in civil monetary penalties (“CMP”) against Lincare, Inc. (“Lincare”). Lincare is a home health care company that provides respiratory care, infusion therapy, and medical equipment from centers located throughout the United States. The enforcement action stems from a December 2008 complaint by the estranged husband of a Lincare employee. The husband reported to OCR that his wife, a center manager for a Lincare center in Arkansas, had moved out of the home they shared in August 2008. In November 2008, the husband found PHI of 278 Lincare patients in the home, specifically “under a bed and in a kitchen drawer.” Further investigation by OCR revealed that the employee continuously stored PHI in her car and in her home. The investigation also uncovered the fact that Lincare’s privacy policy did not include policies or instructions to employees for protecting PHI taken offsite or any type of logging systems for tracking PHI taken offsite. Continue Reading Latest OCR Enforcement Action: Underbed Storage is Not Appropriate for PHI

As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015.    Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information.  We also saw the release of an Office of Inspector General (OIG) report that was highly critical of the Federal government’s ability to effectively enforce HIPAA, followed almost immediately by signs of more aggressive enforcement from the Office for Civil Rights (OCR), perhaps in response.  We waited for commencement of the second round of HITECH-mandated audits, but it never came.  As regulated entities prepare for a new year of regulatory challenges, we review the highlights — and lowlights — of HIPAA 2015, and prepare for what’s to come in 2016. Continue Reading HIPAA and Health Care Data Privacy – 2015 Year in Review

As HIPAA-regulated entities anxiously await the commencement of the Phase II HIPAA audit program, the Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) has issued a report critical of the Office for Civil Rights’ (OCR) HIPAA enforcement performance, effectively giving OCR “something to prove.”

The report, released on September 28, 2015, examines whether OCR — the office within HHS charged with enforcing HIPAA — is sufficiently exercising its oversight responsibilities. The OIG specifically focused on whether OCR is sufficiently overseeing covered entities’ compliance with HIPAA’s Privacy Rule.  The OIG found a number of areas where OCR’s oversight is lacking. Continue Reading Just in Time for the Phase II Audits: OIG Criticizes OCR’s Enforcement Efforts