Due to the less than effective enforcement of the Health Insurance Portability and Accountability Act’s privacy standards in the past, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) will commence its long awaited audits in early 2016. In the past, sanctions have been passed down after breaches have occurred and caused damages. The 2016 permanent audit program aims to be more proactive and preventative versus reactionary and responsive.
Despite many health organizations being under the assumption that they are HIPAA compliant, a surprising number of entities fail to follow baseline standards of compliance. Common deficiencies found in pilot audits spotlighted the following: the inability, or unwillingness to conduct security risk assessments, having protected health information (PHI) records on exposed servers, unencrypted laptops, unchanged default passwords, outdated security software, and inadequate training of all personal who access these records. In fact a recent Ponemon Institute study showed that 91% of healthcare organizations have suffered at least one data breach in the past two years. Security experts at Websense (http://www.websense.com) have reported a 600% increase in attacks on hospitals since 2014. The value of PHI data has grown to the point where cybercriminals are dedicating a massive amount of time bypassing basic security measures.
With the 2016 permanent audits looming around the corner, it has never been more important for all industries to be protected and prepared. Unlike the pilot audits in 2014, the 2016 2nd phase will encompass a much larger amount of covered entities and their business associates. Organizations outside of the health care industry connected through business associates, will now be targeted for auditing as well. The audits require organizations to show proof of their HIPAA compliance, even if there were no past data breaches. The new audit compliance requirements aim to focus on three specific areas: Security, Privacy, & Breach Notification.
Appropriate preparation for an audit commences with proof of due-diligence in respect to protecting personal identifiable information. Secondly, proof of extensive security precautions must be demonstrated and verified. The failure to conduct a security risk assessment has been means for a fine in the past, despite it being an easy way to ensure your organization is safe and not overlooking any endpoint vulnerabilities. The assessment will allow your organization to evaluate and assess all potential security risks you may be overlooking, as well as help ensure you remain compliant.
After conducting a security risk assessment, a review of the current HIPAA policy requirements can greatly benefit an organization in preparation for a potential audit. Gaining full understanding of privacy practices, handling PHI, training, administrative and technical security safeguards can be valuable. Policies and procedures will likely be examined by the Office for Civil Rights in the event of an audit. Any prior audit reporting should be readily available. The OCR has revealed it has the ability to search for and track previous compliance history for covered entities. Organizations should also be prepared to turn over policies for privacy and breach notification standards. Preparing and taking a look at this information now, instead of when an auditor finds it during their investigation can help you know what to expect and prepare an audit response team if necessary.
Being transparent, cooperative and prepared is the best plan to be ready for the 2016 permanent audit program. With million dollar settlements, reputation damage, and business disruptions being all too common the past few years, the time to ensure your company’s compliance has never been more critical. Non-compliance for a business should not be taken lightly.
If you are in need of a Security Risk Assessment, or have any questions regarding how HIPAA compliance may affect your organization as a health care company, or simply an associate of one, contact us for more information, or continue the conversation with us on our Twitter, Facebook, or LinkedIn pages.