• OCR’s Big 4

  • February was a busy month for Health and Human Services (HHS) and the Office for Civil Rights (OCR).  Here’s a recap.

    2-3-2016: HHS Administrative Law Judge (ALJ) ruled that Lincare, Inc. (Lincare) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring Lincare to pay $239,800 in civil money penalties (CMPs) imposed by OCR. 

    2-16-2016: Complete P.T., Pool & Land Physical Thnd required payment of $25,000, adoption and implementation of a corrective action plan, and reporting of compliance efforts for a one-year period. 

    2-24-2016:  The OCR released a crosswalk that was developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC). The crosswalk identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule. The press release from the OCR stated “in addressing security, many entities both within and outside of the healthcare sector have voluntarily relied on detailed security guidance and specific standards issued by NIST.”

    2-25-2016: The Director of the OCR, Jocelyn Samuels, release the second set of FAQ’s addressing fees for copies of health information and the right to have health information sent directly to a third party. The press release states, “At the Office for Civil Rights (OCR), we believe strongly that every individual should be able to easily exercise their right to access their health information, allowing them to be fully engaged in their care and empowered to make the health care decisions that are right for them. The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans. But this right has not always been well-understood, and far too often individuals face obstacles accessing their health information, even from entities required to comply with HIPAA.”

    It appears that the OCR has started to increase their education efforts as recommended in September’s study by the Office of Inspector General (OIG). One of the five recommendations by the OIG stated, “continue to expand outreach and education efforts to covered entities.”  It appears that education can come in many forms and sizes.

    Judith is the CEO of JAL Consult and holds the accreditation of Certified HIPAA Professional (CHP). As a consultant, Judith provides guidance for organizations within the HIPAA framework. Judith develops and implements reasonable and appropriate compliance programs, develops employee training programs and participates in compliance presentation and speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult