While the audit program has so far made a good impact proving to be a fruitful approach to gauging and ensuring compliance, OCR is yet to determine precisely when the program will resume or how large it will be. In an interview with Healthcare Info Security, Mc Andrew offers useful insights about what’s ahead for HIPAA audits.

Highlighting the fact that organizations still have a long way to go when it comes to privacy and security, Mc Andrew said that only a small number of audits last year came away with no findings. She also stresses the importance of carefully assessing risks and safeguarding patient information and urges healthcare entities to make risk assessment, policies, and procedures up-to-date.

Insights Gained From HIPAA Audits

Although the audit results are still being assessed, according to Mc Andrew, one obvious take away is that organizations still have a lot of work to do to comply with both the privacy and security rules, and now is a good time for healthcare entities to turn their attention towards the immediate steps to be taken to ensure compliance.

Secondly, she also points out that organizations have to pay attention to whether security standards are being met. That would mean risk analysis and assessment to make sure all vulnerabilities are addressed. Thirdly, according to Mc Andrew, the audits also indicate that smaller entities are the ones struggling most to comply with both privacy and security requirements.

Addressing Encryption

Speaking about encryption, Mc Andrew pointed out that at least 15% of the audited organizations had neither implemented encryption, nor documented why encryption was not needed. While the security rule provides flexibility for cases where encryption is not reasonable and appropriate, it necessitates documenting the reason why it is not reasonable and appropriate, alongside documenting the alternate method used for securing information. However, it was found that a number of organizations had not only failed to encrypt but had also not documented the reason nor implemented equivalent means of protection.

Mc Andrew stressed that breaches due to loss/theft of storage/mobile devices were common, and in cases where such a loss/theft involved unencrypted data, endangerment of information becomes a potential cause for penalties.

Audit Reports

About publishing the audit results, Mc Andrew said that the 115 audit reports are now being analyzed and evaluated, and that the office is yet to determine what to do with the final analysis. However, she said that the office reserved the right, in appropriate cases, depending on the seriousness of a finding, to move any case for compliance review, which may result in enforcement action.

Resuming HIPAA Audits

According to Mc Andrew the office hopes to resume audits following the result of the evaluation and analysis of the previous audits. The evaluation of last year’s audit is expected to show where to concentrate more efforts and how best to sort the funding situation. The process of updating protocol is in progress to ensure changes in the final rule are taken care of, and the focus is now mainly on the implementation of the omnibus rule.

Tips to Prepare for the Audits

Healthcare organizations should look at this time as an opportunity for them to take a systemic look and ensure that their risk assessment, policies, and procedures are up-to-date, says Mc Andrew. This is a good time to ensure that compliance is a daily task. This would mean supporting compliance initiatives with an organized program and self-audit/external audit process.

This is what Aegify Security Posture Management and Aegify SecureGRC are designed to do. By offering ongoing security, ensuring privacy of health records and conducting periodic risk assessments, these platforms offer everything that healthcare entities need to become and remain compliant, and to ensure the security and privacy of patient health information.

The post HIPAA Audits- Timeline & Insights appeared first on Aegify.

However, the OCR Director also said that the audit program is likely to continue in 2013 despite budget cuts, and that it is good to keep the audit program going because it has exposed vulnerabilities and issues that could not have been identified through any other means. While he did not provide insights on the initial 20 audits, he noted that his office will issue an aggregate report on the results of all the audits once the 2012 reviews are complete.

He pointed out that his agency has identified many common HIPAA shortcomings so far in its investigations, including some fundamental issues such as lack of security/privacy policies, procedures and technical safeguards for data. The lack of evidence for risk analysis was also another common issue identified during these audits.

Your HIPAA Compliance Priorities

Rodriguez’s advice regarding HIPAA compliance priorities is that you should:

• Thoroughly understand HIPAA requirements
• Formulate a proper compliance plan
• Perform risk analysis from time to time
• Implement disciplinary policies and procedures
• Educate and train employees
• Determine what physical and technical safeguards are needed
• Implement these safeguards

He explained that complying with HIPAA is a continuous process. If this routine is affected, the process deteriorates over time, and vulnerabilities and breaches start occurring.

What to Expect of the HIPAA Audits

When asked whether KPMG will refine audit procedures after the initial 20 audits, Rodriguez gave an overview of the procedure that will be followed. He said that organizations will be asked to show documented evidence for all their HIPAA efforts. There will be a desk review of documents followed by on-site visits.

He also confirmed that the remainder of those organizations to be audited this calendar year will soon be notified about the audit.

Speaking about the OCR budget of 5% for 2013, Rodriguez said that the budget cut may not necessarily affect the office’s ability to continue investigations and enforce HIPAA because the monetary recoveries from these investigations are likely to make up for it.

When asked about the high penalties which can be imposed for HIPAA violation, he said that at the lower end of the spectrum penalties can range from $1000 to $50,000 per individual violation up to an aggregate of $1.5 million a year per provision violated during that year. And at the higher end of the spectrum he said that where willful neglect without corrective action has been proved, penalties can range from $10,000 to $50,000 a year up to the same cap of $1.5 million.

What Should Be Your Immediate Course of Action

If you have not implemented adequate security measures already, it’s time you took a more serious look into it. As Rodriguez points out, HIPAA compliance is not a one-time goal. You need to maintain compliance with HIPAA on a continuous basis. So as an immediate step you should conduct a self-audit and assess risks, identify shortcomings in your system and fix them with the right solutions.

This however, is not an easy task. In order to ensure compliance with HIPAA and to meet the audit requirements with ease, you need to adopt a robust solution like SecureGRC. SecureGRC offers an efficient HIPAA compliance framework that can enable you to overcome the hassles involved in compliance, and can also ensure that security and compliance are managed and maintained in the long-run. It also provides and audit framework that can help you make yourself audit-ready at all times.

The post HIPAA Audits to Continue in 2013: Here’s What to Expect appeared first on Aegify.