While the permanent audit program will look at the level of compliance at both covered entities and their business associates, the audits will also focus on the vulnerabilities that may change every year as new issues come to the forefront. The pilot program and the OCR breach investigations conducted so far found a major weakness across entities- the lack of a thorough risk analysis. And therefore risk assessments will continue to be a top criterion for determining compliance.

OCR is yet to hire a contractor for the permanent audit program, and industry experts believe that OCR may work with more than one firm to conduct the next round of audits, or possibly choose a prime contractor who would work with several subcontractors.

According to Rodriguez, OCR is asking for a budget raise to fund the permanent audit program, and will also use $4.5 million from the HIPAA non-compliance penalties collected so far.

HIPAA Omnibus Enforcement Action

HIPAA Omnibus compliance enforcement began on September 23rd. So healthcare entities that are wondering about how this new rule is going to be enforced, should take cues from the previous enforcement actions, where the focus was on cases involving major security failures, and where a breach incident led to investigations and later revealed larger systemic issues. Inappropriate disclosure of data and denial of access to patients, are some other cases where enforcement action was seen earlier.

According to Rodriguez, OCR will leverage more civil penalties, and the office has approval to bank these penalties to fund the enforcement actions across fiscal years. In his opinion, this will also enable OCR to maximize funding of the audits and breach analysis activities.

This would mean that entities can expect the monetary penalties imposed by OCR to be significantly higher. The smartest way to deal with this would be to prevent security breaches, ensure compliance, and prepare well in advance for the upcoming audits. Aegify Security Posture Management and Aegify SecureGRC can greatly simplify the process of achieving security and compliance, and enable entities to face the upcoming audits with confidence.

The post Permanent HIPAA Audit Program to Begin in 2014 appeared first on Aegify.

Sharp HealthCare, an integrated delivery system in California also underwent this deadline dash. The Director of Information Security at Sharp, Tom August, said that reviewing all HIPAA-related vendors and following up with them on the new Business Associate Agreements took a lot of coordination and time. His advice to healthcare entities is not to assume that business associate agreements have been documented with all legacy HIPAA-related vendors. Even if the relationship with them is an age-old one, documenting these agreements is crucial.

This has also been the biggest compliance chore at University of Pittsburg Medical Center, where this task is likely to continue for some more time, as the existing Business Associate agreements need to be revised. According to John Houston, Vice President and Privacy and Information Security Officer, the entity will continue to spend significant time on the HIPAA Business Associate agreements since it has chosen to revamp its process to adopt better means of managing business associate agreements.

Although revising business associate agreements has been a mammoth task for healthcare entities, this task was least resisted, and it was seen that vendors and partners understood that these requirements were coming. However, for entities such as Peace Health, a healthcare delivery system in the Pacific Northwest, documentation of these agreements took much more time than expected.

Dena Boggan, HIPAA privacy and security officer at St. Dominic Jackson Memorial Hospital is of the opinion that long-term compliance paid-off in their case. According to her, if the entity had not taken a proactive approach to compliance, revising and reissuing business associate agreements would have been a highly challenging task.

Entities are also having to tie-up loose ends with notices of privacy practices. And to facilitate this, the Department of Health and Human Services issued three model Notices of Privacy Practices that reflect all consumer rights under HIPAA Omnibus. These model notices are in three styles and can be customized by users.

For most entities however, one of the trickiest compliance tasks was to find the time to review and suggest revisions for affected policies and procedures. Some entities created an implementation plan as soon the Omnibus rule was published in January and are reviewing this plan to ensure all tasks have been successfully completed. But those entities that did not plan early are having a tough time ensuring all areas of the organization are compliant with the Omnibus rule.

Training staff about the new compliance requirements is also seen as an important step. Some entities view this as an opportunity to further educate their staff on the need for privacy, security, and compliance. In addition to this, with changes in the breach notification rule, some healthcare entities are re-visiting and revamping their breach assessment procedures and policies to make sure they are able to effectively assess and identify incidents if any.

HIPAA Omnibus compliance is a highly demanding task, and requires entities to take small manageable steps where roles, responsibilities, targets, and timelines are clearly defined. A sure-shot way to achieve compliance is to proactively prepare in advance with the right policies and security frameworks. And this is what Aegify Security Posture Management and Aegify SecureGRC can provide- A built-in framework with compliance best practices that can come a long way not only in safeguarding the privacy and security of information , but also in seamlessly achieving regulatory compliance.

The post Wrapping-Up HIPAA Compliance Chores appeared first on Aegify.