The HHS/OCR Hit List for HIPAA Audits

As the HHS Office for Civil Rights analyzes breach reports for vulnerabilities, it has learned lessons on areas where covered entities should pay particular attention to their HIPAA compliance efforts. With OCR hoping soon to launch a permanent random HIPAA Audit program, the agency has reiterated six core ways to avoid common types of breaches, which will be among the targeted focus areas of audits.

Risk Analysis and Risk Management Risk Analysis and Risk Management

“Ensure the organization’s security risk analysis and risk management plan are thorough, having identified and addressed the potential risks and vulnerabilities to all ePHI in the environment, regardless of location or media. This includes, for example, ePHI on computer hard drives, digital copiers and other equipment with hard drives, USB devices, laptops, mobile phones and other portable devices, and ePHI transmitted across networks.”

Security Evaluation Security Evaluation

“Conduct a security evaluation when there are operational changes, such as facility or office moves or renovations that could affect the security of PHI, and ensure that appropriate physical and technical safeguards remain in place during the changes to protect the information when stored or when in transit from one location to another. In addition, conduct appropriate technical evaluations where there are technical upgrades for software, hardware and websites, or other changes to information systems to ensure PHI will not be at risk when the changes are implemented.”

Security and Control of Portable Electronic Devices Security and Control of Portable Electronic Devices

“Ensure PHI that is stored and transported on portal electronic devices is properly safeguarded, including through encryption where appropriate. Have clear policies and procedures that govern the receipt and removal of portable electronic devices and media containing PHI from a facility, as well as that provide how such devices and the information on them should be secured when off-site.”

Proper Disposal Proper Disposal

“Implement clear policies and procedures for the proper disposal of PHI in all forms. For electronic devices and equipment that store PHI, ensure the device or equipment is purged or wiped thoroughly before it is recycled, discarded, or transferred to a third party, such as a leasing agent.”

Physical Access Controls Physical Access Controls

“Ensure physical safeguards are in place to limit access to facilities and workstations that maintain PHI.”

Training Training

“Ensure employees are trained on the organization’s privacy and security policies and procedures, including the appropriate uses and disclosures of PHI, and the safeguards that should be implemented to protect the information from improper uses and disclosures; and ensure employees are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.”

As the HHS Office for Civil Rights analyzes breach reports for vulnerabilities, it has learned lessons on areas where covered entities should pay particular attention to their HIPAA compliance efforts. With OCR hoping soon to launch a permanent random HIPAA Audit program, the agency has reiterated six core ways to avoid common types of breaches, which will be among the targeted focus areas of audits.

 

Already a subscriber? Log in here
Please note you must now log in with your email address and password.