Conducting ongoing risk assessment is the key to tackling the upcoming HIPAA audits. Verne Rinker, a Health Information Privacy Specialist of the HHS Office of Civil Rights, in an interview with Information Security Media Group, revealed that out of the 115 entities audited during the pilot program last year, two-thirds had either non-existent or inaccurate risk assessments. Therefore Rinker’s suggestion for covered entities is to conduct comprehensive risk analysis that would cover all systems since they are subject to change as the IT infrastructure keeps changing. According to Rinker, risk assessments should be ongoing, so that they can detect risks in new systems as well as those in existing ones.
With the permanent HIPAA audit program scheduled to begin sometime after the start of the fiscal year 2014, its time organizations started looking at risk assessment as a regular part of their business.
Highlighting the key findings of the pilot program, Rinker said that there were no clear trends seen when it came to privacy findings. But, about 44% organizations had trouble spots in areas of use and disclosure of PHI, and quite an alarming number of organizations, 47%, were identified with problems related to policies and procedures, and 26% had training deficiencies.
Speaking about the challenges involved in HIPAA compliance, Rinker explained that risk analysis and ongoing risk assessment stands out as a major challenge, and that those entities which did not carry out risk assessments, or had done a poor risk assessment, showed a pattern of non-compliance with the HIPAA rules.
Rinker said that the OCR is in the process of updating the audit protocol and that while the current website has the pre-HITECH protocol, with the change in provisions and criteria, the audit protocol would be updated. When the website finally publishes the audit protocol, it would be in compliance with the HITECH standards.
The upcoming audit program may be much narrower in scope according to Rinker, who said that although the pilot audit program covered 59 individual requirements and standards, this is a substantial number and it is unlikely that a permanent program would be so comprehensive in scope. Hence the upcoming audits are expected to be much more streamlined, with a smaller scope and would aim to reach a broader range of covered entities and business associates.
All organizations that wish to prepare for the audits should have an active, integrated, and fully functional HIPAA compliance program in place, according to Rinker. A comprehensive platform like Aegify Security Posture Management or Aegify SecureGRC can greatly simplify this task and ensure compliance with HIPAA. Rinker also said that entities should look at the audit protocol on the OCR website to assess how they measure up to the existing standards, and advised covered entities to conduct a comprehensive risk analysis considering all systems, as these are subject to change with any changes in the IT infrastructure. Therefore ‘ongoing’ risk assessment is the key. While it can catch vulnerabilities in new systems, it can also detect risks in existing ones and help correct them in the timely manner.