Reports healthcare data breaches have reached a near 138%. The Department of Health and Human Services’ Office for Civil Rights therefore unveils its second round of audit program. Unlike the previous ones, this time the OCR is looking to conduct audits across all high-risk areas. While this eliminates on-site visits, they are looking towards potentially integrating the audits into OCR’s formal enforcement program.
While the audits for HIPAA compliance have become more common, many of the healthcare providers are not still effectively prepared for an audit. These healthcare providers and their business associates may therefore face serious consequences during the next round of OCR audits. What the healthcare providers need to understand is that while the Office of civil Rights is not out to get them, they definitely expect the healthcare enterprises to faithfully take good efforts to protect their vital patient data. Even after two years of 2012 OCR pilot program audits, the covered entities and business associates need to look for more effective measures to protect themselves and not fall victims to past mistakes.
In fact with technology being integrated into the audit process, the healthcare providers need to learn from their past mistakes and be ready to face the OCR audits. The 2012 OCR audits helped to expose the gaps in the healthcare compliance such as:
- Minimum to near to nil protection with absence of even the basic security tools and methods to identify vulnerabilities leading to exposure of patient data
- Clueless about the identification of data location while allowing anywhere any time access to the data from various hand held devices.
- Unavailability of training sessions for employees or techniques for data monitoring and reporting of data breaches.
Since the department of health and human services has recorded more than 500 cases of data breaches effecting 33 million PHI’s in its wall of shame, the covered entities and their business associates need to understand that OCR audits act as a vehicle to help them efficiently monitor HIPAA regulatory compliances. However, as first step to the process, these establishments need to conduct a risk assessment to identify areas of vulnerabilities.
Nevertheless, with HIPAA dictating the need to protect PHI’s, the covered entities and their business associates need to deploy more strategic methods that will help them identify the risks faced by their data. Deploying comprehensive security management solutions such as Aegify Security Posture Management and Aegify Secure GRC will help these healthcare providers face the OCR audits with confidence.