Protecting patients’ health information is everything, especially in today’s world where data breaches and hacker attacks have become more prevalent. After a two-year delay, the Department of Health and Human Services’ Office for Civil Rights (OCR) will begin auditing organizations to check for digital record compliance under HIPAA later this year.
You might recall the pilot phase of OCR HIPAA audits that started back in 2012, and official audits were expected to begin in fall 2014. The audit program was delayed, however, due to technical problems with the agency’s web portal as well as technical issues with digital system rollouts, among other reasons, notes TechTarget. In addition, Congress has not granted the OCR any earmarked funding to sustain a permanent audit program.
“A lot of people didn’t necessarily take the audits seriously because of the poor state of cybersecurity in healthcare, but the feds don’t have any choice but to do this and take their mandate seriously,” said Rob Rhodes, an advisory board member of the Association for Executives in Healthcare Information Security, and vice president for product management at health IT security software firm Iatric Systems Inc., in the TechTarget article.
According to the HIPAA legislation’s Final Security Rule of 2003, health care providers are required to carry out thorough risk assessments. In the OCR’s early auditing, it found that 80 percent of audited businesses did not comply fully with the risk assessment rule. It also found that those organizations were also failing to comply with the HIPAA Omnibus Rule of 2013, which required any business associates to follow the same HIPAA guidelines.
Phase two of the audit program is expected to roll out later this year, and the OCR has begun the process by sending a series of notification letters to health care organizations, business partners and other operations that are subject to HIPAA rules to verify the correct primary contacts and email addresses. According to TechTarget, it is believed that the OCR has sent verification notices via email or regular mail to approximately 1,200 individuals and organizations.
David Holtzman, vice president of compliance at CynergisTek Inc., told TechTarget that when the organizations respond to the verification notice, the OCR will send surveys to gather more information about each responding practice. It will then choose a representative sample – expected to be roughly 200 – and conduct a first wave of auditing.
While it’s been on hold for two years, now is the time to ensure that your health care organization’s client data meets federal requirements for protection and security. At CWP Tech Solutions, we know the ins and outs of managing HIPAA-compliant IT services and can help ensure that your practice or organization is ready and up to the standards of the law. Let our professionals help ensure that your patient data is protected and audit-proof by giving us a call today at 301-662-6219.