HIPAA crackdown coming: How to prep for Audits
Earlier this month health insurer Anthem, Inc. disclosed a data breach involving an estimated 80 million records containing protected health information (PHI). In 2013, Anthem (then known as Wellpoint) was fined $1.7 million by the Department of Health and Human Services (HHS) in connection with an unauthorized disclosure of PHI.Watch Anthem Video Here
Last May, Columbia University and New York-Presbyterian Hospital were fined a combined $4.8 million for HIPAA violations when a doctor disconnected his personal computer from the hospital network, leaving patient information vulnerable to discovery through Internet search engines.Read More about CU and NYPH
After some delay, Phase II of the HIPAA Audit Program is expected to begin soon. This means the Office of Civil Rights (OCR) will begin conducting compliance audits this year. If you have not completed a HIPAA risk assessment in the last 12 months, you should do so now. Risk assessments are a fundamental requirement under HIPAA, not a “nice to do.” There is no way to properly implement HIPAA policies and procedures without fully understanding your environment and the risks it presents to protecting privacy and securing PHI.
When HIPAA was enacted in 1996, privacy was not the principal focus of the legislation. Indeed, it took HHS eight years to publish the initial HIPAA Privacy Rule. It took several more years for HHS to publish the initial Security Rule. The Security Rule directed “covered entities” (e.g., providers, hospitals, health insurers) to perform a risk assessment, understand where their vulnerabilities were, and to adopt reasonable safeguards to fix them.
There are three categories of HIPAA safeguards:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
In 1996, HIPAA compliance might have simply required a memo to staff, a sturdy lock on the records room, and an alarm on the building. The creation and rapid adoption of electronic health records over the last several years have rendered locks and alarms a quaint reminder of simpler data security times. Hence the Security Rule’s requirement that covered entities (and now business associates) conduct a proper risk assessment.
A risk assessment does not need to be expensive. The OCR website has a downloadable tool for performing a security risk assessment (SRA). The SRA tool consists of 156 “yes” or “no” questions about the organizational policies and procedures for your practice. When you are done, you will have up-to-date information about where your practice needs improvement with respect to HIPAA. Importantly, the SRA tool does not report information outside of your practice. The idea is to provide information helpful to your becoming fully compliant. Be aware, though, that HHS cautions that use of the SRA tool does not guarantee HIPAA compliance, and the ultimate determination of compliance is left to each health care provider and organization.
Phase II of the OCR’s HIPAA audit program is imminent, and may herald a further crackdown on compliance. While no formal announcement regarding the scope or concentration of the audits, OCR has been consistent in suggesting a substantial increase in on-site audits (as opposed to desk audits).
The OCR’s HIPAA audit protocol (in its current form) is obviously useful information as you continue your HIPAA compliance journey.
Original article by Keith Dennen can be found Here