New HIPAA Compliance Help on the WayRegulators to Unveil Risk Assessment, Security Guides
The federal "wall of shame" tally of major health data breaches, and the results of HIPAA compliance audits conducted so far, illustrate that the healthcare sector has a long way to go when it comes to protecting patient privacy and improving information security.
See Also: A Toolkit for CISOs
For example, one key problem area has been risk assessments, which many healthcare providers do poorly, if at all, based on the findings of federal audits and breach investigations. Another weak spot has been the use of encryption. Stolen and lost unencrypted computing devices have been the culprit in more than half of major health data breaches in the last four years.
Many covered entities and BAs can certainly use whatever help they can get to improve HIPAA compliance, especially when it comes to risk assessments and mobile device security.
That's why it's good news that federal regulators plan to offer two new guides to help organizations address key security challenges in the weeks to come. I've learned that a tool to help smaller providers conduct a risk analysis, as well as a video on privacy and security issues, will be available soon.
Stricter HIPAA enforcement is coming in the New Year, along with a renewal of HIPAA compliance audits.
So it's more important than ever for healthcare organizations of all sizes, and their business associates, to take advantage of these and other free resources to help bolster their efforts to protect patient privacy and improve information security
Under the HIPAA Omnibus Rule, business associates are now directly liable for HIPAA compliance, and penalties for each HIPAA violation can go as high as $1.5 million.
The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, will resume its HIPAA compliance audit program next year. The expanded audit program will include business associates for the first time. And it will focus more narrowly on the problem areas that stuck out in the previous OCR audits (see: HIPAA Audits: More to Come in 2014).
In the Works
The Office of the National Coordinator for Health IT, another HHS unit, is developing a new tool designed to help smaller physician practices with one of those problem areas: risk assessments.
Conducting a thorough risk assessment is a critical component of any information security program. It's also required under the HIPAA Security Rule as well as the HITECH Act's electronic health record incentive program. To qualify for incentives in Stage 2, hospitals and physician groups must attest to performing a risk analysis that, among other things, addresses the use of encryption for stored patient information.
An ONC spokesman told me: "We are working on a tool for small practices, and we expect this to be released in 2014. We hope that this tool will help providers perform a risk assessment in their practices and help them evaluate the administrative, technical and physical safeguards in their organizations as required under the HIPAA Security Rule."
Meanwhile, OCR and the Centers for Medicare and Medicaid Services are developing a video focused on privacy and security issues tied to the HITECH Act's EHR meaningful use incentive program. "We hope to have this posted before January 2014," an OCR spokeswoman says, declining to elaborate on details.
Many covered entities and business associates can certainly use whatever help they can get to improve HIPAA compliance, especially when it comes to risk assessments and mobile device security.
While OCR and ONC are readying new compliance resources, they already offer a number of online guides and videos to help improve health data privacy and security. That material includes guides on mobile security, including a primer on encryption.
In addition, other federal agencies offer a variety of resources on security and privacy issues. That includes guides from the National Institute of Standards and Technology for everything from risk assessment and encryption to its upcoming cybersecurity framework.
But for many healthcare organizations, especially smaller clinics and their business associates, deciphering complex NIST guidance isn't easy. And many of those smaller organizations don't have pockets deep enough to pay for consultants who can translate and implement complex guidance. The truth is that many smaller organizations don't know where to begin to assess risks, muchless mitigate them.
The new resources coming in the weeks ahead should prove helpful for organizations fumbling with HIPAA compliance.