With the OCR ramping up enforcement activities, and issuing a number of HIPAA compliance settlements, it has become imperative for healthcare entities to act swiftly, and meet all the requirements to successfully survive any OCR breach investigations and upcoming audits. The OCR is clearly sending a message that they are taking seriously their responsibility to enforce HIPAA rules (read more), particularly keeping in mind the recent largest HIPAA enforcement $4.8 million settlement with New York-Presbyterian Hospital and Columbia University.
HIPAA expert, Reza Chapman, deems it necessary for healthcare organizations and their business associates, to take the necessary crucial steps to prepare for the potential breach investigations and HIPAA compliance audits. Chapman, a senior manager in the healthcare advisory services practice at consulting firm EY (formerly Ernst & Young), says in an interview with Information Security Media Group, that the OCR is not only warning covered entities and business associates about ongoing enforcement, but is also effectively responding to the [HHS] Office of Inspector General that the OCR did not do enough to enforce the rules last year.
It is evident that all healthcare entities and their business associates need to step up their measures, more than ever, and be ready for intense regulatory scrutiny. Covered entities and business associates need to accelerate compliance and security measures, and make certain they leave no avenue for any breach. Although the primary focus should be on updating security and privacy policies, and procedures to meet the HIPAA requirements, it is also vital for healthcare organizations to ensure they have a breach response and notification plan in place. While preparing for the upcoming audits, Chapman emphasizes, that it is essential for organizations to take necessary measures to lower their risk of expensive enforcement actions. Going further Chapman reiterates that,
- All organizations looking to stay away from the scrutiny of OCR, must essentially carry out a thorough risk analysis, and implement "positive steps to remediate the findings".
- Entities must "demonstrate a culture of compliance that shows privacy and security are not new concepts to the organization".
- Besides ensuring that all policies and procedures are scrupulously documented, it is also essential to evaluate potential breaches, and report them quickly.
All healthcare organizations involved in an active HIPAA investigation by OCR, need to fully cooperate with the agency. Organizations that take evasive or combative stances are likely to be penalized the most. Healthcare organizations can greatly benefit by adopting comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC to ensure compliance with HIPAA regulations and be ready to effectively handle the upcoming audit.