This entry is part 27 of 27 in the series HIPAA Audit Tips

Two of our colleagues, Jason Riddle and Gary Ridner, attended the OCR/NIST 6th Annual Conference on Safeguarding Health Information in Washington in early June.   Gary Ridner offers up this blog post and tip.   Here’s today’s big tip – Take Stock of Your HIPAA Privacy and Breach Notification Compliance Status!

HIPAA Audit Tips –  Take Stock of Your HIPAA Privacy and Breach Notification Compliance Status!

OCR/NIST 6th Annual Conference on Safeguarding Health Information

— by, Gary Ridner, MBA, CISSP, CISM

At the 2013 OCR/NIST Annual Conference on Safeguarding Health Information, Leon Rodriguez, the Director of the U.S. Department of Health and Human Service’s Office for Civil Rights, opened his remarks by relating a story about one of the times he had to testify before Congress. In this instance, he had to follow a woman who had just finished describing how one of her relatives had been denied life-saving care because of HIPAA. Apparently, one of her relative’s physicians’ offices refused to release critical information about their care and treatment that was vital to saving their life at that time because they believed, incorrectly, that HIPAA did not authorize them to do so. In fact, the HIPAA Privacy Rule explicitly states that “A covered entity may disclose protected health information for treatment activities of a health care provider.” (45 CFR § 164.506(c)(2)).

Director Rodriguez went on to explain that, in his opinion, HIPAA was meant to be a valve, not a blockage, to the flow of health care information. Nevertheless, this example begs the question as to how, over 15 years after HIPAA became law, this situation, and probably many more just like it, could have arisen.

One possible reason is that the law has always included both civil and criminal penalties for a failure to comply with a requirement of the Privacy Rule which are imposed on the individual responsible for the disclosure. With the passage of the American Recovery and Reinvestment Act of 2009, signed into law on February 17th, 2009, civil penalties could range from $100 to $50,000 per violation, as well as landing someone in jail for up to a year. While Director Rodriguez made it clear that OCR has neither the time, nor the manpower, to pursue minor violations of the Privacy rule, especially where there is no previous history of such infractions, it is certainly possible that OCR’s hand could be forced in these matters. In particular, he pointed out UCLA Medical Center’s disclosure of certain celebrity’s medical information as a violation of the HIPAA Privacy Rule which, because it was so egregious, had to be investigated.

Another possible reason has to do with the complexity of the law itself. The HIPAA Privacy Rule alone has 93 separate requirements, 23 of these having to do with Permitted Uses and Disclosures. Adding to this complexity is the fact that how these requirements apply to an organization is a function of how your organization is categorized, e.g. Covered Entity, Group Health Plan, Business Associate, etc. The recent release of the over 500 page HIPAA Omnibus Final Rule, which changed the wording of certain parts of the law, further complicates matters.

Given these challenges, it is not surprising, therefore, that some individuals and organizations might be both reluctant to release patient information and confused about when and to whom they might safely release it. How then, does an organization ensure that they do not find themselves in the unenviable position of potentially blocking the delivery of vital medical information in an emergency, or alternatively, releasing information to unauthorized third parties? A good starting point is to consider using Clearwater Compliance’s Privacy and Breach Notification Gap Assessment Software to determine if your organization has developed the policies and procedures to provide your staff with the necessary guidance to know when it’s appropriate to release Protected Healthcare Information. Once this Assessment process is complete, and the necessary policies and procedures have been created, staff should then be thoroughly trained on them, and especially made aware of how to quickly access them in the future should they need to consult them about the appropriate actions to be taken.

If you have further questions about Clearwater’s Privacy and Breach Notification Gap Assessment Software, wish to obtain a free 30 day trial, or need assistance with your HIPAA Compliance program, polices, or procedures, please contact

The standard disclaimers hold here; the opinions contained herein are those of the author, who is not an attorney and is not offering legal advice. 

Proven HIPAA Audit Tips – Other Actions You Should Take Now to Prepare for OCR HIPAA Investigations or Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program. (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation. (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment. (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment. (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures. (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan.

Join the 350+ companies (both covered entities and business associates) that work with Clearwater Compliance. We can help your organization jump-start your HIPAA Compliance program.


Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Conduit, Business Associate, or Something Else?

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.