Home > Regions > North America > Healthcare Alert: Recent developments concerning HIPAA audits and penalties for non-compliance

Healthcare Alert: Recent developments concerning HIPAA audits and penalties for non-compliance

The United States Department of Health and Human Services Office for Civil Rights (OCR) has recently announced that the first 20 HIPAA audit letters have been sent to covered entities. The audit program will involve up to 150 covered entities by the end of 2012.

Of the first 20 audit letters, 10 involve healthcare providers, including at least three physicians or physician groups, as well as a laboratory, a pharmacy and other providers. Upon receipt of the audit letter, the covered entity has only 10 days to provide the requested information. 

If you have been delaying bringing your practice into full compliance with HIPAA’s privacy and security rules, the time to act is now, not when you receive an audit letter or when a breach or some other privacy or security related problem arises. To be prudent, all healthcare providers should assume that within the next couple of years they will be audited and required to disclose exactly how they have complied with HIPAA’s privacy and security requirements.

The failure to comply can also create significant financial and administrative problems if a HIPAA violation is discovered. A recent example involves a cardiac surgery practice located in Arizona. The practice had posted clinical and surgical appointments for their patients on an internet based calendar that was publicly accessible.

Following the disclosure of the violation, an investigation revealed that the practice had failed to comply with HIPAA in a number of respects, including failing to implement policies and procedures, failing to document the training of its employees, failing to identify a security official and conduct a risk analysis, and failing to obtain business associate agreements with certain business associates. The practice accepted a $100,000 penalty and agreed to institute a corrective action plan designed to bring it into full compliance with HIPAA’s privacy and security rules.

While the practice’s failures in this Arizona case involve some very basic HIPAA related requirements, it is likely that many physician practices throughout the country have similar HIPAA compliance shortcomings.

Physician practices and other healthcare providers need to do a thorough analysis of HIPAA’s requirements and determine the extent to which they are in compliance, as well as potential security threats and vulnerabilities. Far too many physician practices and other providers have simply assumed that by preparing a notice of privacy practices and having new patients sign an acknowledgement of having received a copy of it, they have brought themselves into full compliance with HIPAA. As those practices who will be on the receiving end of a HIPAA audit or similar investigation will find out, there is far more to HIPAA than a privacy notice or written acknowledgement.

Healthcare providers and other HIPAA covered entities are being subjected to increasing levels of scrutiny for compliance with privacy and security standards. It is expected that enforcement actions against covered entities and their business associates will intensify with the imminent revisions to the HIPAA security and privacy rules to incorporate various provisions of the HITECH Act, while breach notification requirements as well as the OCR audit program continue to shine a light on HIPAA compliance concerns. It is therefore becoming increasingly important for covered entities and their business associates to analyze their compliance with HIPAA standards.

If you have any questions concerning this Alert, please contact:

John T. Mulligan

Jane Pine Wood

Rick L. Hindmand

Rachel H. Yaffe

Healthcare Practice

McDonald Hopkins has a large and diverse healthcare practice, which is national in scope. The firm represents a wide variety of healthcare providers, facilities, vendors, technology companies and associations. Our diverse experience enables us to give our clients a unique perspective on the issues that may confront them in the rapidly evolving healthcare environment.

Carl J. Grassi, President
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114
Fax: 312.280.8232
Fax: 216.348.5474
Fax: 614.458.0028
Fax: 248.646.5075
Fax: 1.305.704.3999
West Palm Beach
Fax: 561.472.2122
IRS CIRCULAR 230 DISCLOSURE: To ensure compliance with requirements imposed by the Internal Revenue Service, we inform you that any tax advice contained in this communication (including any attachments), was not intended or written to be used, and cannot be used, by any taxpayer for the purpose of (1) avoiding any penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another party any transaction matter addressed herein.

© 2012 McDonald Hopkins LLC All Rights Reserved. This Alert is designed to provide current information for our clients, friends and their advisors regarding important legal developments. The foregoing discussion is general information rather than specific legal advice. Because it is necessary to apply legal principles to specific facts, always consult your legal advisor before using this discussion as a basis for a specific action.