Posted in Quebec City forum
According to healthcare attorney Susan Miller, detailed evidence of HIPAA compliance and going beyond just the black letter HIPAA rules will be important factors when the Office for Civil Rights (OCR) makes its HIPAA audit rounds this fall. Miller said that OCR has been talking about evidence of compliance since 2009, when it first released the HIPAA Omnibus Rule Notice of Proposed Rule Making (NPRM).
Evidence of compliance, in my view, goes beyond what the rule asks of an organization, such as where its policies and procedures are. This includes the Notice of Privacy Practices (NPPs), business associate agreements (BAAs), but they’ve also [made it clear] that organizations must have a breach plan. In no place in the regulation does it say that an organization has to have a breach plan or process. It does makes sense to have a breach plan to know what the organization will do when it has a breach event. I would suggest that organizations have a breach plan that they look at and update yearly.