Time to Review HIPAA ComplianceLooming Audits, Ramped Up Enforcement Put HIPAA in Spotlight
The Department of Health and Human Services' Office for Civil Rights unveiled plans for HIPAA compliance audits, as mandated under the HITECH Act. Plus, the office announced an $865,000 fine for a HIPAA violation at UCLA Health System, illustrating yet again that enforcement is ramping up.
Susan McAndrew, OCR's deputy director, explained that the agency expects to conduct 150 audits by the end of 2012 once tests are completed. The audits initially likely will offer comprehensive assessments of compliance with the HIPAA privacy and security rules, rather than focusing on specific narrower issues, she said.
There are a lot of policies and procedures that look really good on paper, but in the reality of a complex and busy environment, they just don't work in practice.
Adam Greene, a former OCR official, and Mac McMillan, a security consultant, offered tips on how to prepare for the audits.
"There are a lot of policies and procedures that look really good on paper, but in the reality of a complex and busy environment, they just don't work in practice," Greene said. "You have to go down to the staff, look around, and see what's working and what's not. If you don't do it, the auditors will. And so you want to have a fresh set of eyes looking at this before they come."
McMillan offered 10 tips, including make sure your organization has an up-to-date risk analysis for the entire enterprise.
"Information security auditors want to know the basis of your program and your controls and whether or not you've actually identified what the risks are in your environment," the consultant says. "They want to know if you have organized your security program around an appreciation of where those risks are."
HIPAA SanctionsMeanwhile, OCR's sanctions against University of California at Los Angeles Health System offer a reminder of the high potential cost of a HIPAA violation. In addition to the fine, the health system committed to a corrective action plan aimed at remedying gaps in its compliance with the rules.
The resolution agreement stems from complaints filed on behalf of two celebrity patients, alleging that employees repeatedly viewed the patients' electronic protected health information without permission, a clear HIPAA violation.
With HIPAA audits on the horizon, and OCR's stepped-up enforcement activity grabbing headlines, it's time to take a fresh look at your organization's HIPAA compliance efforts.
To help assess the compliance and risk management efforts of healthcare organizations, HealthcareInfoSecurity is conducting its inaugural Healthcare Information Security Today survey.
By participating in this important research project, you'll help us provide you with a detailed analysis of the status of healthcare information security, which you can then use to compare your organization's efforts with others and gain insights that you can apply to your security and compliance programs.