The collection of laws and regulations known commonly as HIPAA is comprised of two federal statutes and three federal rules:

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA"),the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), the Privacy Rule (found at 45 C.F.R. 164.500 et. seq.), the Security Rule (found at 45 C.F.R. 164.300 et. seq.) and the Breach Notification Rule (found at 45 C.F.R. 164.400 et. seq.). 

The three rules were amended and combined in 2013 into what is known as the HIPAA Privacy, Security, Enforcement and Breach Notification: Final Omnibus Rule. The federal Office for Civil Rights ("OCR") has the duty and responsibility to investigate complaints or reports of potential HIPAA violations and to continuously monitor entities required to comply with HIPAA ("Covered Entities") for compliance. OCR began a preliminary pilot program for random compliance audits of Covered Entities in 2015.

The OCR looks at several areas of HIPAA compliance when performing an audit including:

• Does the Covered Entity have a Notice of Privacy Practices? Is the notice complete? Is the notice posted and distributed properly
• What are the patients' rights to request privacy protections, access to or an accounting of disclosures of their protected health information ("PHI")
• What are the Covered Entities administrative requirements for the security of PHI
• Does the Covered Entity have proper Authorizations for Use and Disclosure of PHI available for patient use
• Are there proper administrative, physical and technical safeguards in place on the premises of the Covered Entity

All medical practices must have a designated Security Officer who is responsible for HIPAA security. The designated Security Officer should perform regular internal Compliance Risk Assessments as well as staff training sessions to ensure that all of the proper protections are in place and are functioning properly. 

OCR is on schedule to begin its second round of HIPAA audits in early 2016 and plans to include many more types of Covered Entities that were included in the first phase as well as Business Associates (as defined by HIPAA) of Covered Entities. 

One of the essential items that OCR will be looking for is the proper performance of an internal Compliance Risk Assessment and the implementation of any necessary plans to cure any problems that are discovered as a result of the Compliance Risk Assessment.

Although OCR will not be publicly posting any audit results, the results are not confidential and the potential financial consequences of a poor audit are substantial. Any Covered Entity or Business Associate who has not yet performed an internal Compliance Risk Assessment should plan to do so immediately and should begin to prioritize the necessary changes which result based upon the level of risk involved in each deficiency. 

HIPAA compliance is one of the most cited and least understood laws in the typical medical practice. Although HIPAA has been in place for decades, it has changed rapidly in the last ten years due to the rapid proliferation of technology in medicine. 

In addition to these progressive changes, the law itself underwent a major overhaul in 2013 resulting in any practice that has not updated their HIPAA materials since that time being out of compliance. The speaker will highlight the major changes that must have been implemented after the 2013 HIPAA updates. Thereafter, the attendee will learn the basic requirements for a Notice of Privacy Practices as well as when authorizations are and are not required for the use and disclosure of a patient's protected health information. 

The latter half of the webinar will focus on the identification of a breach and what the required process is to remedy a breach if it is determined one has occurred.

The federal Office for Civil Rights, the government entity tasked with enforcing HIPAA began a preliminary pilot program in 2015 to ensure a certain number of random compliance audits of Covered Entities. 

The initial overview of HIPAA requirements and policies will help the attendee determine if his or her practice is compliant. Thereafter, the speaker will highlight what "red flags" the Office for Civil Rights looks for when determining whether to audit a practice and learn what to do in the event you are selected for a random audit.