HIPAA Audits Inching Closer to Reality

Booz Allen Hamilton wins two contracts
HIPAA Audits Inching Closer to Reality
Federal regulators are one small step closer to starting audits of healthcare organizations and their business associates for compliance with the HIPAA privacy and security rules as required under the HITECH Act.

The Office for Civil Rights at the U.S. Department of Health and Human Services has awarded two key contracts to the consulting firm Booz Allen Hamilton Inc. OCR will hold a kick-off meeting with the McLean, Va.-based firm during the second week of April.

OCR, however has not yet begun hiring auditors to conduct the investigations, the office told HealthcareInfoSecurity.com.

The projects

Booz Allen Hamilton won a contract to provide OCR with "temporary consulting support" for a "HIPAA compliance audit study" as the office continues to prepare for its HITECH-mandated auditing program.

The consulting firm also won a contract to help OCR develop and convene a series of training seminars for state attorneys general on enforcement of the HIPAA rules. Those seminars are slated to begin in June.

In addition to OCR's efforts, state attorneys general now have the power to file civil suits for cases involving HIPAA privacy and security violations. The Connecticut attorney general was the first to file such a suit as permitted under the HITECH Act.

Slow start

Security consultant Kate Borten is among those who have criticized HHS for getting off to a slow start in launching the compliance audits, called for under the HITECH Act passed in February 2009. Since HIPAA was enacted in 1996, the government has been moving at a snail's pace to enforce its privacy and security rules, says Borten, president of the Marblehead Group.

"The government has done way too little on security and privacy compliance and enforcement," Borten says. "That has to be front and center, rather than taking it on as we move forward."

Borten and others have raised their concerns in commenting on the security provisions of a proposed "Healthcare IT Framework" that regulators will use to update the Federal Health IT Strategic Plan.

Details yet to come

In declining to discuss further details, OCR said more information about the HIPAA audit program eventually will be shared at www.hhs.gov/ocr/privacy.

More details also could be available at an upcoming event. On May 11-12 in Washington, OCR will join with the National Institute of Standards and Technology to host "Safeguarding Health Information: Building Assurance Through HIPAA Security."

Breaches listed

In the meantime, OCR is posting a list of breaches affecting more than 500 individuals on its Web site. Under the HITECH Act's breach notification rule, such incidents must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually. For a story about the list, click here.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.