In an interview with Howard Anderson from HealthcareInfoSecurity, Leon Rodriguez, Director of the Department of Health and Human Services’ Office of Civil Rights (OCR) outlined the HIPAA audit plans for the this year and next. He said that the number of completed HIPAA audits this year will be lesser than the originally planned 150, and this is because of the funding levels of the office and the capacity of KPMG, which is the firm hired to undertake the audit program.
However, the OCR Director also said that the audit program is likely to continue in 2013 despite budget cuts, and that it is good to keep the audit program going because it has exposed vulnerabilities and issues that could not have been identified through any other means. While he did not provide insights on the initial 20 audits, he noted that his office will issue an aggregate report on the results of all the audits once the 2012 reviews are complete.
He pointed out that his agency has identified many common HIPAA shortcomings so far in its investigations, including some fundamental issues such as lack of security/privacy policies, procedures and technical safeguards for data. The lack of evidence for risk analysis was also another common issue identified during these audits.
Your HIPAA Compliance Priorities
Rodriguez’s advice regarding HIPAA compliance priorities is that you should:
- Thoroughly understand HIPAA requirements
- Formulate a proper compliance plan
- Perform risk analysis from time to time
- Implement disciplinary policies and procedures
- Educate and train employees
- Determine what physical and technical safeguards are needed
- Implement these safeguards
He explained that complying with HIPAA is a continuous process. If this routine is affected, the process deteriorates over time, and vulnerabilities and breaches start occurring.
What to Expect of the HIPAA Audits
When asked whether KPMG will refine audit procedures after the initial 20 audits, Rodriguez gave an overview of the procedure that will be followed. He said that organizations will be asked to show documented evidence for all their HIPAA efforts. There will be a desk review of documents followed by on-site visits.
He also confirmed that the remainder of those organizations to be audited this calendar year will soon be notified about the audit.
Speaking about the OCR budget of 5% for 2013, Rodriguez said that the budget cut may not necessarily affect the office’s ability to continue investigations and enforce HIPAA because the monetary recoveries from these investigations are likely to make up for it.
When asked about the high penalties which can be imposed for HIPAA violation, he said that at the lower end of the spectrum penalties can range from $1000 to $50,000 per individual violation up to an aggregate of $1.5 million a year per provision violated during that year. And at the higher end of the spectrum he said that where willful neglect without corrective action has been proved, penalties can range from $10,000 to $50,000 a year up to the same cap of $1.5 million.
What Should Be Your Immediate Course of Action
If you have not implemented adequate security measures already, it’s time you took a more serious look into it. As Rodriguez points out, HIPAA compliance is not a one-time goal. You need to maintain compliance with HIPAA on a continuous basis. So as an immediate step you should conduct a self-audit and assess risks, identify shortcomings in your system and fix them with the right solutions.
This however, is not an easy task. In order to ensure compliance with HIPAA and to meet the audit requirements with ease, you need to adopt a robust solution like SecureGRC. SecureGRC offers an efficient HIPAA compliance framework that can enable you to overcome the hassles involved in compliance, and can also ensure that security and compliance are managed and maintained in the long-run. It also provides and audit framework that can help you make yourself audit-ready at all times.