Recently, the Office for Civil Rights (the "OCR") of HHS announced the resolution of three investigations and one matter before an Administration Law Judge (collectively, the "HIPAA Matters") related to non-compliance with the HIPAA privacy rules (the "HIPAA Rules") by certain covered entities.
The OCR's investigations and enforcement action regarding the HIPAA Matters generally stemmed from infractions of non-administrative provisions of the HIPAA Rules (including impermissible disclosures of PHI) by the HIPAA covered entity in question. Notably, however, the OCR also specifically identified certain violations of administrative provisions by the covered entities that triggered civil monetary penalties and follow up actions by the covered entities under formal corrective action plans with the OCR.
The OCR's published settlement agreements and notice of final determination regarding the HIPAA Matters (each, an "Agreement") discussed the following administrative violations by one or more covered entities and imposed the associated remedial actions:
1. The failure to timely designate a privacy official.
2. The failure to implement written policies and procedures ("P&P") to comply with the HIPAA Rules. Required remedial actions by one or more covered entities included:
(a) reviewing and revising the P&P at least annually to reflect both legal changes under the HIPAA Rules and also changes within the covered entity (such as changes to the designation of the individual serving as a privacy official);
(b) distributing the P&P to all workforce members who are authorized by the covered entity to access PHI (the "Authorized Workforce") (including new members of the Authorized Workforce); and
(c) obtaining certifications from Authorized Workforce members of receiving, reading, understanding, and complying with the P&P.
3. The failure to conduct Authorized Workforce training in compliance with the HIPAA Rules. Required remedial actions by one or more covered entities included:
(a) providing training to all Authorized Workforce members at least every 12 months, including to new Authorized Workforce members within 30 days of their becoming an Authorized Workforce member;
(b) obtaining written or electronic certifications from Authorized Workforce members of having received the training;
(c) maintaining documentation of the required training, including the date that training was provided, and providing HHS with a copy of the training materials (e.g., PowerPoint slides) or a description of the training, including a summary of the topics covered, the length of the session(s), and the name of the entity that conducted the training; and
(d) reviewing and revising the training materials at least annually and revising the training materials as needed to reflect changes in the HIPAA Rules or HHS guidance, any issues discovered during HIPAA privacy audits of the covered entity, and/or other relevant developments.
4. Failure to maintain a "Notice of Privacy Practices" that includes the content required by the HIPAA Rules.
The OCR's resolutions of the HIPAA Matters and its related Agreements may serve as instructive reminders to employers that sponsor health plan covered entities regarding the importance of paying attention to their administrative obligations under the HIPAA Rules. Adherence to such administrative obligations may help to ensure covered entities avoid costly HIPAA violations.
The OCR's announcement regarding resolution of the HIPAA Matters is available here.