With the permanent HIPAA audit program scheduled to begin sometime after the start of the fiscal year 2014, its time organizations started looking at risk assessment as a regular part of their business.

Highlighting the key findings of the pilot program, Rinker said that there were no clear trends seen when it came to privacy findings. But, about 44% organizations had trouble spots in areas of use and disclosure of PHI, and quite an alarming number of organizations, 47%, were identified with problems related to policies and procedures, and 26% had training deficiencies.

Speaking about the challenges involved in HIPAA compliance, Rinker explained that risk analysis and ongoing risk assessment stands out as a major challenge, and that those entities which did not carry out risk assessments, or had done a poor risk assessment, showed a pattern of non-compliance with the HIPAA rules.

Rinker said that the OCR is in the process of updating the audit protocol and that while the current website has the pre-HITECH protocol, with the change in provisions and criteria, the audit protocol would be updated. When the website finally publishes the audit protocol, it would be in compliance with the HITECH standards.

The upcoming audit program may be much narrower in scope according to Rinker, who said that although the pilot audit program covered 59 individual requirements and standards, this is a substantial number and it is unlikely that a permanent program would be so comprehensive in scope. Hence the upcoming audits are expected to be much more streamlined, with a smaller scope and would aim to reach a broader range of covered entities and business associates.

All organizations that wish to prepare for the audits should have an active, integrated, and fully functional HIPAA compliance program in place, according to Rinker. A comprehensive platform like Aegify Security Posture Management or Aegify SecureGRC can greatly simplify this task and ensure compliance with HIPAA. Rinker also said that entities should look at the audit protocol on the OCR website to assess how they measure up to the existing standards, and advised covered entities to conduct a comprehensive risk analysis considering all systems, as these are subject to change with any changes in the IT infrastructure. Therefore ‘ongoing’ risk assessment is the key. While it can catch vulnerabilities in new systems, it can also detect risks in existing ones and help correct them in the timely manner.

The post Thorough Risk Assessment-The Need of the Hour appeared first on Aegify.

The pilot HIPAA program conducted by HHS Office of Civil Rights last year brought to light, the disturbing fact that most healthcare providers did not conduct timely risk assessments. The audits clearly revealed that this specific requirement under the rule was not met by many providers. According to OCR, out of the 115 healthcare entities that were audited during the pilot program in 2012, the most commonly seen weakness was the lack of a thorough and timely risk assessment.

Taking this into account, the tiger team plans to explore methods that will call for greater attention to existing requirements in Stage 3, mainly addressing the question whether self-attestation by healthcare entities is an effective means to ensure that risk assessments are being done, and if so are they being done well. A subgroup of the tiger team is likely to examine the effectiveness of the attestation process itself. The tiger team will continue to investigate how best to ensure security in health information exchange, and the team has scheduled a virtual meet on the 24th of June to discuss matters involving non-targeted queries, and to share experiences in dealing with non-targeted queries.

While Stage 1 of the EHR incentive program emphasized that participants in the program should attest that risk assessment has been conducted, Stage 2, which is set to begin in 2014, will require healthcare providers to further attest that their risk assessment addressed encryption for data at rest, and if the data has not been encrypted they have to document what other methods have been used to protect data. Stage 3 goes one step further to check the reliability and effectiveness of the attestation process.

Healthcare entities should therefore prepare themselves well to meet these changing requirements, and a thorough risk assessment should be the first step in this direction. A comprehensive solution such as Aegify Security Posture Management and Aegify SecureGRC is the need of the hour. With built in capabilities that address all risk assessment and health information security needs, this solution can alleviate pressure, simplify compliance, and in turn facilitate meaningful use of EHR.

The post More Emphasis on Risk Assessments in Stage-3 of Incentive Program appeared first on Aegify.

The lack of a current and  thorough risk assessment can be very costly and  a recent action by federal regulators reiterated  the same. The authorities have issued penalties in excess of $1 million to two organizations that were investigated post minor breaches. And these organizations were found to be lacking in current risk assessment as required under HIPAA. The Department of Health and Human Services’ Office for Civil Rights issued a $1.5 million HIPAA penalty against one of the organizations, Massachusetts Eye and Ear Infirmary as part of a settlement agreement. The report of a breach involving a physician’s stolen unencrypted laptop also sparked an OCR investigation.

Likewise an investigation  triggered by the theft of an unencrypted storage device in June, resulted in the OCR issuing a $1.7 million penalty against the Alaska Department of Health and Social Services. While each case had alleged HIPAA compliance shortcomings, the  lack of risk assessments  seemed to be strategic in the regulator’s decisions to impose hefty penalties.

An enterprise that is able to enforce strict corporate policies and adhere to all the latest regulatory requirements will be able to protect vital information assets, keep customer confidence, and safeguard business interests. Many industry experts opine that such incidents emphasize the need for organizations to improve their HIPAA compliance efforts. The recent final rules for Stage 2 of the HITECH Act, electronic health record incentive program are another excellent gauge of the significance that is placed by regulators on risk assessments as well as encryption.

As any failure to conduct a thorough, timely risk assessment will result in severe penalties by the OCR in the coming months, health care organizations need a reliable solution that can take care of all the security requirements. Secure GRC from eGestalt is one such solution that  has an in-built HIPAA compliance framework and allows organizations to steer clear of security challenges by effectively addressing all its compliance, audit, assessment, and risk management needs.

The post Risk Assessment Is Imperative – Avoid Small Breaches Becoming Huge Penalties appeared first on Aegify.