HIPAA Megarule Enforcement Begins

While it has taken three years to craft and revise the HIPAA Megarule regulations, the final version of the rules is now officially enforceable. While small physician practices did not previously face a high risk of a HIPAA audit, that may change as there is an increased effort by the Office for Civil Rights (OCR)-the arm of the Department of Health and Human Services in charge of audits-to use fines collected for HIPAA violations to fund further audits.

Due to the new HIPAA Megarule, the OCR will increase scrutiny of business associates who are now directly responsible for HIPAA compliance and focus their efforts on covered entities that fail to follow their own specific policies over a long period of time. The OCR will also scrutinize covered entities on their specific policies and whether they are complying with their policies. Specific areas of concern to the OCR include whether physician practices have undertaken a security-risk analysis and whether protected health information in electronic form and the transfer of that information is secure.

Physician practices need to have all applicable HIPAA forms and security plans in place in the event that a breach occurs and need to update their plans to address the Megarule’s change of the security breach analysis.

Daniel J. Dingeman is an experienced business and healthcare law attorney in Traverse City who has represented physicians, ambulatory surgery centers, physician hospital organizations and physician practices in all aspects of litigation and counseling. For more information, please contact Daniel at 231.929.0500 or [email protected].

This article is for informational purposes only. It is not intended to give legal advice for particular situations or subjects.