Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

April 6, 2016

New Breaches, New Technology and New Audits: Health Care Providers Need to Revisit and Assure HIPAA Compliance

The need for health care providers to review their privacy and security programs cannot be overemphasized, as significant breaches in the health care industry continue to make front page news. The value of information maintained by health care providers, both health information and identifying information such as patient identification numbers, social security numbers, addresses and other information that can easily be used for identity theft, is substantial and has a high value on resale markets. According to the New York Times, "Medical identify theft is on the rise, experts say, because it pays. In black-market auctions, complete patient medical records tend to fetch higher prices than credit card numbers. One security expert said that at one auction a patient medical record sold for $251, while credit card records were selling for 33 cents."

At the same time, the United States Department of Health and Human Services Office of Civil Rights (OCR) is stepping up enforcement and audit efforts, following a September 2015 report of the United States Department of Health and Human Services Office of the Inspector General, recommending that OCR strengthen its oversight of covered entities' compliance with the Privacy Rule. OCR was criticized for its oversight being "primarily reactive" with investigations based on complaints. OCR expressed concerns over OCR's failure to follow-up on corrective actions and its database tracking system. It recommended that OCR: (1) fully implement a permanent audit program; (2) maintain complete documentation of corrective action; (3) develop an efficient method in its case-tracking system to search for and track covered entities; (4) develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and (5) continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations.

As such, OCR announced Phase 2 of its HIPAA Audit Program to occur this year. OCR promises to review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. At this point, OCR has stated that the audits will primarily be desk audits, although it stated that some on-site audits would be conducted. OCR stated that an email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees, which will be used with other information to create potential audit subject pools. Ignoring the request for information will not prevent an audit and OCR has stated that it expects entities to be checking junk and spam folders for the e-mail.

OCR has explained that it will choose auditees through random sampling of the developed audit pools. Selected auditees will then be notified of their participation. For those desk audits that are chosen, OCR states that they will complete those audits by the end of December 2016. Another set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than the desk audits. Some desk auditees may be subject to a subsequent onsite audit.

Many providers have feared security compliance over the years, as it has sometimes appeared to be overwhelming and highly technical. In addition, in the ever changing and evolving world of technology, many providers have found it difficult to have their security policies and procedures keep up with changing technology. However, given the number of breaches by health care providers, the risk of successful hacking, the risk of lawsuits, fines and penalties, licensing concerns and the horrific press that befalls providers who are the subject of a breach, it behooves all providers to: 1) audit their own privacy and security policies and procedures internally or through the use of an outside entity familiar with the requirements (note OCR's audit tool is available on its website); 2) ensure appropriate updated training for all staff; and 3) revisit Business Associate Agreement requirements and ensure appropriate agreements are in place.

Should you require assistance in ensuring HIPAA compliance, please contact Melissa M. Zambri, Co-Chair of the Barclay Damon Health Care and Human Services Practice Area at 518-429-4229 or


Click here to sign up for alerts, blog posts, and firm news.

Featured Media


The New York FY 2025 Budget – CDPAP FIs Under Threat


Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Anderson, Beauchamp, Murray, Angeles, Monegro, and Bullock—Targeting Businesses in Recent Flurry of Lawsuits


Updated Bulletin on Tracking Technologies in the Health Care Industry


NYS Board of Regents Adopts Regulations on the Mental Health Diagnostic Privilege


First Department Clarifies Pleading Requirements Under NYS Child Victims Act


Beneficial Ownership Reporting Requirements Under the CTA: Quarterly Reminder

We're Growing in DC!

We’re excited to announce Barclay Damon’s combination with Washington DC–based Shapiro, Lifschitz & Schram. SLS’s 10 lawyers, three paralegals, and four administrative staff will join Barclay Damon while maintaining their current office in DC’s central business district. Our clients will benefit from SLS’s corporate, real estate, finance, and construction litigation experience and national energy-industry profile, and their clients from our full range of services.

Read More

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out