OCR Ramping Up Focus on HIPAA Audits in 2016

May 6, 2016

In recent reports issued by the Office of Inspector General for the Department of Health and Human Services (OIG), the Office for Civil Rights (OCR) was criticized for their failure to effectively enforce HIPAA privacy standards and follow up on breaches containing protected health information (PHI).[1]

The OCR promised to increase their oversight and responded before the end of 2015 with the announcement of three HIPAA settlements exceeding $5 million.[2] It appears Leon Rodriguez, Director, Office for Civil Rights wasn’t kidding when he stated: “These changes…. strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections…”

A review of privacy violations during the period of 2009 to 2011 showed that 54% of violations demonstrated non-compliance with at least one privacy standard, with two common violations being prominent: (1) restricting uses and disclosures of PHI (2) implementing safeguards to protect patient Health Information (PHI).[3]

In September 2015, the OCR awarded FCI Federal with a $770,000 contract to conduct phase 2 audits which were scheduled to begin in early 2016.[4] These audits will focus on privacy rule requirements and security rule requirements including administrative, physical and technical safeguards, and will be directed at health care providers (including dental practices), health plans and business associates.

Although the HIPAA privacy rule has been around since 1996 and the first penalty wasn’t imposed until 2008, enforcement has increased dramatically since 2012.  Since then, there have been twenty-one penalties ranging from $50,000 to over 3.5 million,[5] 7 of which were in excess of $1 million.

With audits increasing, what questions should we be asking?

  • Are our policies and procedures up to date with the current HIPAA privacy rule?
  • Is our staff up to date with the current HIPAA privacy rule?
  • Are we complying with administrative, technical and physical safeguards when addressing HIPAA and the transfer of protected health information?
  • Have we properly identified all business associates and ensured a Business Associates Agreement has been signed?
  • Have we conducted a proper risk assessment?  
  • What technology is available to help prevent HIPAA violations?

When transferring patient health information (PHI), specifically electronic PHI, there are 5 technical safeguards addressed in the HIPAA privacy rule:[6]

  • Access Control - §164.312(a)(1)
    • Unique User Identification
    • Emergency Access Procedure
    • Automatic Logoff
    • Encryption & Decryption 
  • Audit Controls - §164.312(b) 
  • Integrity - §164.312(c)(1) – Authenticate Electronic Protected Health Information 
  • Person or Entity Authentication - §164.312(d) 
  • Transmission Security - §164.312(e)(1)
    • Integrity Controls
    • Encryption

    A common misunderstanding when dealing with implementation is the term “Addressable” versus “Required.”  If an implementation specification is “required,” the specification must be implemented as stated.  An “addressable” implementation specification does not mean “OPTIONAL,” but it provides flexibility on how to comply and must be implemented if it is “reasonable and appropriate” to do so.  A covered entity will need to perform one of the following for each addressable specification:[7]

    1. Implement the addressable implementation specifications.
    2. Implement one or more alternative security measures to accomplish the same purpose.
    3. Not implement either an addressable implementation specification or an alternative.

    The covered entity’s decision must be documented in writing and must detail the factors considered as well as the results of the risk assessment on which the decision was made.

    Technology for transferring electronic protected health information (ePHI) in the market place today varies from encryption plug-ins that meet only one or two of the security standards to fully HIPAA compliant products providing coverage for all five technical safeguards. When selecting a HIPAA compliant messaging provider make sure you ask the following questions:

  • Does your provider utilize the DIRECT trust protocol, providing identity verification?
  • Is there a file size restriction for attachments and x-rays?
  • Does your provider store your emails for a minimum of 6 years?
  • Does your provider incorporate encryption technology?
  • Can your provider demonstrate their ability to provide an audit trail?
  • Can you communicate with entities outside of the network in a fully HIPAA compliant manner? 
  • Does your provider back up data regularly?

With the internet and continual flow of information at our fingertips, “I didn’t know” no longer holds water. Simply stated, the federal government has discovered how to generate revenue utilizing the HIPAA privacy rule. Although you might think “it would never happen to me,” it only takes one disgruntled employee or upset patient to file a complaint with the OCR on your practice.

The failure to comply with the HIPAA can result in costly punitive fines and potentially put your practice at risk. Don’t be the example everyone else learns from.

Don Douglas is the Chief Operating Officer at iMedicor.  iMedicor’s iCoreExchange is endorsed by VDA Services to allow members to communicate via email with patients and healthcare providers in a HIPAA compliant manner.  Members are able to receive a 35% discount off of the monthly fee and can find out more by calling 888-810-7706 or visiting signup.imedicor.com/vda. 


[1] OCR to Increase HIPAA Audits in Early 2016 –  https://www.bryancave.com/en/thought-leadership/ocr-to-increase-audits-in-2016.html

[2] Expect Increased Focus on HIPAA Audits in 2016 –  http://www.primerus.com/business-law-articles/expect-increased-focus-on-hipaa-audits-in-2016.htm

[3] Expect Increased Focus on HIPAA Audits in 2016 –  http://www.primerus.com/business-law-articles/expect-increased-focus-on-hipaa-audits-in-2016.htm

[4] OCR expected to increase HIPAA audits in 2016. http://www.beckershospitalreview.com/healthcare-information-technology/ocr-expected-to-increase-hipaa-audits-in-2016.html

[5] OCR expected to increase HIPAA audits in 2016. http://www.beckershospitalreview.com/healthcare-information-technology/ocr-expected-to-increase-hipaa-audits-in-2016.html

[6] HHS.gov – Office of Civil Rights http://www.hhs.gov/ocr/

[7] Is your dental practice completely HIPAA compliant? http://www.dentalproductsreport.com/dental/article/your-dental-practice-completely-hipaa-compliant