A health compliance lawyer says health care entities’ past efforts to take federal health information data security rules seriously may be about to backfire.
There are hints that the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) may use a list of health care entities that have dealt with them in the past to pick 350 targets for the new “Phase 2″ Health Insurance Portability and Accountability Act (HIPAA) privacy and data security audits, according to Edward Zacharias, a partner at McDermott Will & Emery.
See also: Feds start picking HIPAA audit targets
For HIPAA compliance purposes, the term “covered entity” refers to insurers, hospitals and other entities that hold protected health information.
The term “business associate” includes entities that end up holding protected health information due to their relationships with a covered entity. The list of business associates of a health insurer typically includes insurance agents and benefit plan administrators.
HHS OCR has said in the past that it will be auditing about 350 covered entities, and that it will also review some of each of the covered entity’s business associates.
Zacharias helps clients comply with the HIPAA requirements. He says in a commentary, based on recent remarks by Devin McGraw, a top HHS OCR official, that he thinks auditors may use a list of entities with existing HHS OCR relationships to pick HIPAA Phase 2 audit targets.
Some of the covered entities in that database may have come to the attention of HHS OCR due to complaints, but others might be in the database because they voluntarily complied with HHS OCR breach reporting requirements, Zacharias says.
“There is likely a number of covered entities and business associates out there who have never reported a breach — even though they may have had a legal obligation to do so — and are not in ‘OCR’s database,’” Zacharias says.
Using the database of entities with HHS OCR relationships to pick audit candidates seems to be unfair to “good citizens” that dutifully reported breaches, and it means that the entities audited might be different from a pool of audit targets selected through a truly random process, according to Zacharias.
Have you followed us on Facebook?