According to OCR Deputy Director Covered Entitles and Business Associates Can Expect More HIPAA “Compliance and Enforcement” Action from OCR in 2014

by Leonardo M. Tamburello

In remarks at the HIMSS 14, the flagship conference and exhibition by the Healthcare Information and Management Systems Society, Susan McAndrew, Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR), stated that for the coming year 2014, “compliance and enforcement is really where the action is going to be,” as far as OCR is concerned.  According to McAndrew, this includes “investigating our new friends, business associates,” who under the 2013 HIPAA Omnibus Rule, may also be liable for data breaches.  In earlier blog entries, we anticipated OCR’s intention to step-up auditing and enforcement efforts of covered entities and business associates in 2014.

In addition, McAndrew highlighted her agency’s interest in insuring patient access to their healthcare records, including electronic data. Under the Omnibus Rule’s amendments to HIPAA and other changes to the Clinical Laboratory Improvement Amendments (CLIA), patients have expanded rights to electronic access of health information and laboratory results.

That same day, HHS provided notice in the Federal Register of its OCR’s intent to collect information from HIPAA – covered entities and business associates for the purpose of conducting pre-audit screenings.   These surveys will gather information about covered entities and business associates to enable OCR to assess their size, complexity, and fitness for an audit.  It is estimated that approximately 1,200 covered entities and business associates will be contacted.

At this time, comments are being accepted concerning:  (1) the necessity and utility of the proposed information collection for the proper performance of OCR’s functions; (2) the accuracy of the estimated burden of 30 to 60 hours, per respondent; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) the use of automated collection techniques or other forms of information technology to minimize the information collection burden.

Every covered entity and business associate, as well as any other business or individual that handles protected health information should have a rigorous compliance program in place which is regularly audited and reevaluated in light of changes in the law and industry best practices.  For more information contact our Healthcare Practice Group.

HHS’s notice is available on the web at: