HIPAA Audits Inching Closer to RealityBooz Allen Hamilton wins two contracts
The Office for Civil Rights at the U.S. Department of Health and Human Services has awarded two key contracts to the consulting firm Booz Allen Hamilton Inc. OCR will hold a kick-off meeting with the McLean, Va.-based firm during the second week of April.
OCR, however has not yet begun hiring auditors to conduct the investigations, the office told HealthcareInfoSecurity.com.
Booz Allen Hamilton won a contract to provide OCR with "temporary consulting support" for a "HIPAA compliance audit study" as the office continues to prepare for its HITECH-mandated auditing program.
The consulting firm also won a contract to help OCR develop and convene a series of training seminars for state attorneys general on enforcement of the HIPAA rules. Those seminars are slated to begin in June.
In addition to OCR's efforts, state attorneys general now have the power to file civil suits for cases involving HIPAA privacy and security violations. The Connecticut attorney general was the first to file such a suit as permitted under the HITECH Act.
Security consultant Kate Borten is among those who have criticized HHS for getting off to a slow start in launching the compliance audits, called for under the HITECH Act passed in February 2009. Since HIPAA was enacted in 1996, the government has been moving at a snail's pace to enforce its privacy and security rules, says Borten, president of the Marblehead Group.
"The government has done way too little on security and privacy compliance and enforcement," Borten says. "That has to be front and center, rather than taking it on as we move forward."
Borten and others have raised their concerns in commenting on the security provisions of a proposed "Healthcare IT Framework" that regulators will use to update the Federal Health IT Strategic Plan.
Details yet to come
In declining to discuss further details, OCR said more information about the HIPAA audit program eventually will be shared at www.hhs.gov/ocr/privacy.
More details also could be available at an upcoming event. On May 11-12 in Washington, OCR will join with the National Institute of Standards and Technology to host "Safeguarding Health Information: Building Assurance Through HIPAA Security."
In the meantime, OCR is posting a list of breaches affecting more than 500 individuals on its Web site. Under the HITECH Act's breach notification rule, such incidents must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually. For a story about the list, click here.