Surviving a HIPAA Privacy/Security Audit

Surviving a HIPAA Privacy/Security Audit Surviving a HIPAA Privacy/Security Audit

The HHS Office for Civil Rights expects in 2015 to begin a random audit program to assess compliance with the HIPAA privacy, security and breach notification rules. At the MGMA Conference, David Holtzman, a former senior advisor at OCR and now vice president of compliance services at security firm CynergisTek, walked through what providers selected for an audit can expect.

Red Flags Red Flags

In a 2012 pilot audit program, security rule problems were seen twice as often as anticipated, so expect security issues addressed under a permanent audit program to be bumped up. OCR found through the pilot audits that many organizations had not conducted a security risk analysis or never updated an initial analysis--which is a huge red flag that an organization is not taking HIPAA seriously. Other areas with significant deficiencies included access management, security incident procedures, contingency planning, audit controls, and movement and destruction of protected health information.

Getting Notified Getting Notified

OCR will send on letterhead 1,200 notification letters to healthcare organizations to confirm the correct address, appropriate HIPAA officers, size of the organization and what it does. This is NOT a notice of an audit, but this information will be used to build the list of those that will be audited. Organizations will NOT get an email saying, “Click here, you have been selected for an audit,” so beware of scammers. Organizations actually selected by OCR will receive a formal audit notification letter. (Photo: Fotolia)

Desk Audits Desk Audits

About 200 covered entities and 300-400 business associates will receive notification of a “desk audit,” which will include a request for submission of specific content and other documentation that demonstrates the scope and timeliness of an organization’s efforts to comply with HIPAA rules. Focus areas for covered entities likely will include risk analysis and risk management, content and timeliness of breach notifications and notice of privacy practices updated to reflect changes in the HIPAA Omnibus rule implemented in 2013. The likely focus for BAs will be risk analysis and risk management, and appropriate breach reporting to covered entities. (Photo: Fotolia)

Follow Instructions Follow Instructions

Under a desk audit, only documentation delivered on time will be reviewed, and send ONLY the information required. Desk audits, Holtzman says, are not an opportunity for a conversation or give-and-take. Auditors will not contact an organization again for clarifications or ask for additional information; they will work with what is sent and make a decision on compliance. And, failure to respond to a desk audit notification likely will lead to a more formal compliance review. Audit findings will not become a matter of public record. (Photo: Fotolia)

On-site Audits On-site Audits

OCR during 2015 and likely into 2016 also will conduct on-site audits of an unspecified number of covered entities and business associates. This is a more comprehensive audit than a desk audit and privacy will have a higher focus. Auditors likely will be looking for updated privacy practice notices, the ability of patients to get a copy of their health record and to access electronically if desired, and how organizations treat requests to restrict access to sensitive treatment that is paid out-of-pocket. (Photo: Fotolia)

How is your security? How is your security?

Expect OCR in the on-site audits to look at security rule compliance in such areas as device and media controls, secure transmissions, encryption of data at rest (including documented justification if not using encryption), facility access controls, administrative and physical safeguards, and workforce training. OCR is “dying” to focus on training as too many organizations haven’t trained since first required to in 2003, Holtzman warns. “I have to tell you, that really rubs them the wrong way.”

Why Audit Compliance? Why Audit Compliance?

Retail and healthcare have been in the spotlight for weak security and that has only intensified as hackers favor those industries for attack. The healthcare industry is a generation behind banking in safeguarding information, according to Holtzman. Nearly half of cybercrime now is aimed at healthcare and the industry saw a 138 % increase in sensitive records exposed and a 20% increase in medical ID theft during 2013. Seventy percent of ID theft and fraud is committed by insiders. Eighty-three percent of large breaches involve theft.

Prepare Now Prepare Now

Holtzman suggests if your risk analysis and risk management plans are more than two years old, update now. Select 10 focus areas covering both the privacy and security rules, and if vulnerabilities have not been addressed, address them. “The best process to prepare for an audit is that if it comes, to be prepared on the day the letter arrives,” Holtzman says. “Be honest with yourself. Don’t paint a happy picture because you think you know what management wants to hear.” (Photo: Fotolia)

Cost of a Breach Cost of a Breach

Healthcare organizations experiencing breaches have learned the experience can be shockingly expensive, with mitigation often costing more than had protection been put in place. Holtzman gives 12 ways your money could be spent following a breach: discovery, notification & response; business disruption; ID theft monitoring; size of breach; investigation & review; lawsuit defense; state actions; corrective action plans & resolution agreements; civil penalties; criminal penalties; insurance; and patient confidence & loyalty.

More information on CynergisTek services is available here .

The HHS Office for Civil Rights expects in 2015 to begin a random audit program to assess compliance with the HIPAA privacy, security and breach notification rules. At the MGMA Conference, David Holtzman, a former senior advisor at OCR and now vice president of compliance services at security firm CynergisTek, walked through what providers selected for an audit can expect.

 

Already a subscriber? Log in here
Please note you must now log in with your email address and password.