4 keys to HIPAA audit prep
With the delay of the Office for Civil Rights (OCR) HIPAA audits, organizations would be wise to not push compliance further down the priority list. Yet many are woefully unprepared for both data breaches and the audits, writes Mark Fulford, partner at LBMC Security & Risk Services in an article at Health IT and Security Review.
"If organizations let down their guard, they will become vulnerable to both data breaches and the OCR audits themselves when they inevitably arrive," he says. "And all indications are that the audits will bring an unprecedented level of scrutiny and enforcement to healthcare security."
Being chosen for an audit means submitting documentation of your organization's compliance. Yet HIPAA guidance isn't specific, he says, allowing you to explain your reasoning behind your security approach.
Among his recommendations:
- Conduct a risk assessment. Evaluate your organization before OCR does, making sure you have everything covered including servers, personal computers, mobile devices and more
- Document everything. Keep detailed records of your security measures and procedures, as well as your incident response plans
- Identify your business associates. Verify that these entities also maintain appropriate security
- Train your team and stay-up-to-date. Security is a team effort; ensure that your employees are trained to respond to phishing, social engineering, malware and other attacks.
Despite a proliferation of healthcare breaches and warnings from the Office of Civil Rights that it plans to crack down on organizations that don't effectively protect patient data, research from ProPublica found that few organizations actually have been fined for it.
However, that's expected to change. Privacy attorney Adam Greene said he's heard that OCR has pipeline of "unprecedented" settlements in the works.
An OCR attorney made a similar statement nearly a year ago. Jerome B. Meites, OCR chief regional counsel for the Chicago area, said the HIPAA enforcement actions over the past year would pale in comparison to the following 12 months.
To learn more:
- find the article
Healthcare providers: Brace for record-breaking HIPAA violation fines
Despite OCR 'crackdown,' few organizations fined for HIPAA violations
OCR attorney predicts spike in HIPAA fines
Privacy experts decry delay of HIPAA audits