Remember the pilot HIPAA audit program conducted by the OCR (Office for Civil Rights) last year? HealthCareInfoSecurity.com reports on the findings, as revealed in an interview with an OCR attorney. About 44 percent had issues with their uses and disclosures of PHI, while 20 percent had problems with their notice of privacy practices.
Of the technical, physical and administrative areas of the HIPAA rule, a surprisingly large amount had issues with the administrative security area. Nearly half had problems with their policies and procedures, and 26 percent had issues with staff training.
The OCR pointed out that nearly every covered entity found to be in compliance had one thing in common: they fully implemented addressable, or optional, specifications, for example – encryption. Another recommendation is to conduct a comprehensive risk analysis that evaluates all systems as they change frequently with IT infrastructure updates – of the providers audited, nearly 80 percent did not have a complete risk assessment.
The permanent and revised HIPAA audit program will resume in fiscal year 2014 (October) with updates from their initial pilot program, and as the HIPAA omnibus rule dictates, will include business associates and covered entities alike in the scope. But instead of expanding the amount of requirements they’ll be testing organizations against, they will be streamlining and using a smaller scope/set of the various HIPAA rules in order to reach more covered entities and business associates.
Another update the OCR is working on is a revised version of their current pre-HITECH audit protocol; once updated, they will announce it on their website. As Sept. 23 creeps up, the deadline for non-compliant covered entities and business associates to get in compliance with the current audit protocol, organizations will need to keep in mind that that protocol will likely change within the next year.
Since compliance, and in particular, evolving regulatory standards require ongoing maintenance, it’s important to stay updated on your vendor compliance dates – ask them the date of their last audit and request a copy of their HIPAA Report on Compliance (HROC). As the OCR recommends, one way to prepare for an audit is to review their protocol on their website that includes criteria and audit procedures for each requirement. View the Audit Program Protocol here. And read more about how the protocol came to be in The HIPAA Police Are On Their Way!
Learn more about the addressable but highly recommended requirement – encryption – in our upcoming webinar, Removing the ‘Cryptic’ from ‘Encryption’ – HIPAA and the Meaning of Secure PHI, on September 17 @2PM ET.
View a diagram of a HIPAA compliant data center IT infrastructure and learn about contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria in our HIPAA Compliant Hosting White Paper.
HIPAA Encryption in the Cloud: Don’t Sacrifice Performance for Security
Earlier this year, OCR (Office for Civil Rights) Director Leon Rodriguez was quoted on the topic of HIPAA encryption: “…regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Encryption is an … Continue reading →
Cloud Security Report: Only 27 Percent Rely on Encrypted Cloud
A report released by the Ponemon Institute in Traverse City, Michigan reveals that nearly 74 percent of cloud consumers believe the cloud provider is the most responsible for protecting their data, while an alarming 63 percent of respondents aren’t even … Continue reading →
Preparing for HIPAA Compliance Audits