The post HIPAA Audit: OCR Is On The Move appeared first on Aegify.

The past year had seen enterprises and individuals from various industries falling prey to data breaches and HIPAA compliance failures more so from the healthcare industry. The office for Civil Rights (OCR) has therefore taken stern steps to ensure privacy and security of data across enterprises in 2015. Since the OCR wants to ensure that enterprises, medical practitioners, their business associates and covered entities take proactive steps to ensure compliance to Health Insurance Portability and Accountability Act, they intend to use HIPAA audit Program randomly across enterprises to check for compliance levels. With HIPAA audits in the horizon, enterprises need to institute smart practices and be audit ready.

The increase in HIPAA audits is a part of a stimulus and any complaint of security breach that involves more than 500 people are sure to trigger an audit. So even employers across other industries also need to take proactive steps to be compliant to these regulations, without which they are also liable to hefty fines.

Understanding some of the common pitfalls will help enterprises to avoid the same during HIPAA audits of 2015. These mistakes include:

• Non-compliance with the Security Rule by not updating and encrypting documents and overlooking associate agreements.
• Failures to implement security risk assessment and compliance programs that help employees understand the need for security of PHIs which include vital information and payment card data.
• Non-establishment of security programs that will ensure proactive monitoring of security and performance indicators and failure to continuously train and retrain employees with critical access on documenting processes of the vital data and EHR
• Failure to update Privacy Practices
• Ignoring privacy laws that interact with HIPAA

With OCR using HIPAA audit program to randomly assess covered entities and their business associates for compliance with the HIPAA privacy, security and breach notification rules, they must have a proactive approach to audits. As a step towards this, enterprises need to ensure that their plan is documented and well communicated across the various entities across the organization.

With regulators favouring a risk-based approach, enterprises need to make use of Security and Compliance programs such as Aegify, that will help them evaluate the risks and vulnerabilities in their environments. While this will implement security controls that will address these issues it will also prepare their business to face OCR as and when it reaches them.

The post Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 appeared first on Aegify.

Following the legal dispute between Texas Health and Human services Commission and its former contractor Xerox, the state agency reported a data breach which affected 2 million individuals. This data breach added to the already existing number of breaches on “wall of shame” of the Dept. of Health and Human Services, which increased the count to 1,167 incidents and affected nearly 41.3 million individuals. With HIPAA breach notification rule being effective since 2009, most of these incidents involved business associates. However, with the HIPAA Omnibus Rule coming into effect business associates and subcontractors have now liable to maintain HIPAA compliance.

Texas HHSC reported the data breach incident as one of unauthorized access or disclosure. While this is believed to have involved electronic records of 2 million individuals this included their birth dates, Medicaid numbers, and medical and billing records related to care provided through Medicaid, reports, diagnosis codes as well as photographs. Even as Xerox takes data security very seriously with data protection measures, the covered entities also need to have in place information security risk analysis and contingency planning. Such proactive measures will help them be prepared to face any issues of business associate destroying protected health information.

Moreover, with OCR enforcing HIPAA, the business associates also need to spell out how they would safeguard the protected health information along with their covered entities. Further, under the HIPAA Omnibus rule, the covered entities need to report any security incidents which are presumed to be data breach cases until the risks are low as per the analysis.

Conclusion
Nevertheless, in the technologically enabled business world that uses portable devices and BYOD options for accessibility, data breaches may be caused due to lost or stolen devices without encryption. The use of comprehensive security solutions such as Aegify Security Posture Management or Aegify Risk Management will healthcare providers and their business associates to keep data threats at bay and maintain periodic risk analysis throughout their life cycle.

The post Why Data Breaches are reported after Vendor Disputes? appeared first on Aegify.

While the audits for HIPAA compliance have become more common, many of the healthcare providers are not still effectively prepared for an audit. These healthcare providers and their business associates may therefore face serious consequences during the next round of OCR audits. What the healthcare providers need to understand is that while the Office of civil Rights is not out to get them, they definitely expect the healthcare enterprises to faithfully take good efforts to protect their vital patient data. Even after two years of 2012 OCR pilot program audits, the covered entities and business associates need to look for more effective measures to protect themselves and not fall victims to past mistakes.

In fact with technology being integrated into the audit process, the healthcare providers need to learn from their past mistakes and be ready to face the OCR audits. The 2012 OCR audits helped to expose the gaps in the healthcare compliance such as:

• Minimum to near to nil protection with absence of even the basic security tools and methods to identify vulnerabilities leading to exposure of patient data
• Clueless about the identification of data location while allowing anywhere any time access to the data from various hand held devices.
• Unavailability of training sessions for employees or techniques for data monitoring and reporting of data breaches.

Since the department of health and human services has recorded more than 500 cases of data breaches effecting 33 million PHI’s in its wall of shame, the covered entities and their business associates need to understand that OCR audits act as a vehicle to help them efficiently monitor HIPAA regulatory compliances. However, as first step to the process, these establishments need to conduct a risk assessment to identify areas of vulnerabilities.

Nevertheless, with HIPAA dictating the need to protect PHI’s, the covered entities and their business associates need to deploy more strategic methods that will help them identify the risks faced by their data. Deploying comprehensive security management solutions such as Aegify Security Posture Management and Aegify Secure GRC will help these healthcare providers face the OCR audits with confidence.

The post Facing OCR Audits with Confidence appeared first on Aegify.

Beginning with 20 “initial” audits the new protocols are to be tested, and the results of these initial audits will determine how and when the remaining audits will be conducted. The new OCR webpage, which carries information on the audit program, states that in the initial round, covered entities of various sizes and functions will be audited, and that business associates will be included in the later audits. The website states that covered entities are expected to extend complete support and cooperation, and also reminds them that the HIPAA Enforcement Rule makes cooperation mandatory.

The initial audit reports from KPMG will be used by OCR to determine what types of technical assistance need to be developed and what are the corrective actions that will prove most effective.

While OCR does not explain how entities will be selected for the audit, you can expect a written notification when your organization has been selected. This notification will also explain details of the program and include initial requests for documentation and information, which have to be provided within 10 business days. Following this, you can also expect a site visit between 30 and 90 days after the notification has been sent.

So are you prepared to face the acid test? How compliant is your entity? How effective are your security policies and protocols? Have you been adequately documenting proof of compliance? It´s time to do a reality check. Our security and compliance solutions have been specifically designed to meet this purpose. While SecureGRC is a completely automated solution which allows you to seamlessly manage compliance and security requirements, the automated HIPAA compliance management toolkit helps you effortlessly meet audit requirements by dramatically simplifying the process.

The post OCR Audits Begin- It’s Time for the Acid Test! appeared first on Aegify.