HIPAA Audits: 3 Key TopicsExpert Offers Insights on Areas to be Scrutinized
Risk assessments, encryption of end-user devices and contingency planning are likely to be among the key areas that auditors will examine, says Holtzman, a consultant who formerly worked at the Department of Health and Human Services' Office for Civil Rights.
"When I look at breach reports, [a majority of] breaches involve lost or stolen devices that are not encrypted," Holtzman says in an interview with Information Security Media Group during the recent 2014 HIMSS Conference. "Encryption on end-user devices will be something that will be looked at quite carefully," he predicts.
"In addition, contingency planning and having appropriate data backups I know is a major concern," he says. In the aftermath of Super Storm Sandy in October 2012, "many small healthcare providers - physicians, dentists, ancillary healthcare providers - simply had their records flooded out, whether they were on paper or on the hard drives of computers in their offices," he says. "I do know this is an area of special concern to [HHS], and they want to work with healthcare providers to raise awareness and expectations."
Holtzman expects OCR will begin to phase in at least part of the audit program by April. "It may not be the full or permanent audit program that they envision ... but what is clear is that they are identifying folks who could be targeted for an audit," he says.
A notice posted by OCR in the Feb. 24 Federal Register outlined OCR's plans to survey up to 1,200 covered entities and business associates to determine suitability for the OCR HIPAA audit program.
At the HIMSS Conference, OCR Deputy Director Susan McAndrew told ISMG that the organizations to be surveyed "is an oversupply," because not all the survey participants will end up being suitable candidates for audits. She declined to say how many organizations will actually be audited.
OCR has had staff working on developing protocols for the audit program for the last 18 months since the 2012 pilot audit program wrapped up, Holtzman notes. The audit program will be carried out by staff from OCR's central and regional offices, he says. "This represents a formidable team that can go out and do a limited number of audits and ask meaningful questions and develop meaningful results," he says.
In the interview, Holtzman also discusses:
- Documentation that organizations should prepare to present to federal regulators in case of a HIPAA audit or breach investigation;
- Steps organizations should take to improve their overall security programs beyond HIPAA compliance;
- His assessment of the state of information security by covered entities and business associates
Holtzman joined the information security consulting firm CynergisTek in November, where he serves as vice president of privacy and security compliance services. Previously the attorney was a senior adviser at OCR, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. While at OCR, Holtzman also served as subject matter expert to other federal agencies in the planning, execution and resolution of complex investigations involving reviews of organizations' compliance with the HITECH Act and the HIPAA privacy and security rules. Earlier, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.