Ice Miller Data Security and Privacy: OCR Audit Preparation
Ice Miller is pleased to announce that Deepali Doddi has joined the firm’s Data Security & Privacy Practice Group. Deepali is a five-year veteran of HIPAA audits stemming from her time as a senior investigator with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). She was lead investigator in the North Memorial Health Care case, which resulted in a monetary settlement of $1.55 million for alleged noncompliance with the HIPAA Rules.
The experience and bench strength Deepali brings to our practice comes at the right time. OCR has launched Phase 2 of its formal HIPAA Audit Program, and will soon audit 100-200 covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. With the increasing rigor of HIPAA audits and fines, now is the right time to invest in your HIPAA compliance program. Ice Miller’s Audit Preparation Program will pair a team of experienced health data privacy and security attorneys with your organization for a mock desk audit focusing on:
Evaluating your privacy and security policies and procedures against HIPAA Rules standards;
Determining whether you have conducted an organization-wide Security Rule risk assessment evaluating potential risks and vulnerabilities, and a plan to manage risks to an appropriate level;
your incident response plan and breach notification procedures;
Reviewing your notice of privacy practices and HIPAA patient authorization forms;
Identifying your business associates (including subcontractor business associates), and reviewing whether you have entered into compliant business associate agreements with them;
Examining your processes for handling patient requests for access, amendment, accounting of disclosures, and confidential communications; and
Reviewing whether your organization maintains documentation specifically required by the HIPAA Rules.
We also offer mock on-site audits, including interviewing workforce members, evaluating administrative, physical, and technical safeguards, and collecting relevant documents. Once the mock audit process is complete, we will prepare a comprehensive written report of findings, and provide concrete recommendations for improving HIPAA Rule compliance. We will meet with your HIPAA compliance team to discuss our findings and recommendations, and help you formulate the best going-forward plan.
Even if OCR does not select your organization for a Phase 2 audit, solidifying your HIPAA compliance measures now will protect your patients or plan participants, and leave you well- positioned to respond to an audit inquiry during a later stage of OCR’s permanent audit program. Resolving any gaps in your HIPAA compliance program will reduce the likelihood of breaches and consumer complaints, and help you avoid protracted government investigations and any associated penalties.
Ice Miller’s Data Security and Privacy team is available to assist you in bolstering your HIPAA compliance program. If you are interested in learning more about Ice Miller’s OCR Audit Preparation Program, please contact Kim Metzger (CIPP/US, CIPM), Nick Merker (CISSP, CIPT), or Deepali Doddi (CIPP/US).
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.