If you are a covered entity or business associate, the Office for Civil Rights (OCR) may have you in its crosshairs. In a recent interview, Devyn McGraw, OCR’s Deputy Director of Health Information/Privacy, announced that the new audit protocol is completed and will be released in April, with random audits to follow shortly thereafter.
The audits are intended to ensure that covered entities and business associates are adhering to HIPAA Privacy and Security rules. OCR is expected to conduct about 200 remote desk audits that will focus on a limited set of requirements, the details of which will be disclosed as the audit time nears. Additionally, OCR is expected to conduct 10-25 comprehensive, onsite audits as well.
Covered entities and business associates selected for the audit will likely represent a blend of organizational types, sizes and geographic locations. In other words, ANY covered entity or business associate could be selected.
Even if your organization is not selected for an OCR random audit, keep in mind that failure to comply with HIPAA regulations can result in hefty fines, negative publicity, reputational damage, legal fees and lengthy government corrective action plans. Breaches or complaints can lead to OCR investigations and bring additional costs including credit monitoring fees for affected residents. The extent of these costs can be driven or mitigated, based on the demonstrated compliance of your organization.
So how to ensure compliance? Conduct regular HIPAA Security Risk Assessments and evaluate whether your organization is complying with HIPAA Privacy and Breach regulations. Thorough and accurate security assessments will address all applicable areas of your organization within scope of the 60+ HIPAA Security Rule components, and a thorough review or gap analysis of Privacy and Breach requirements will identify areas which need to be addressed.
Implement an active security plan. A good security plan is a product of a good risk assessment. The plan should clearly state gaps identified in the risk assessment along with assigned resources and projected completion dates. Aside from thorough content, each organization must actively manage the plan and demonstrate that reasonable remediation progress is being made. Note that open remediation items are still potential violations and can produce negative consequences in the event of a HIPAA audit, so move as quickly as possible
Evaluate the agreements, requirements and practices you have in place with 3rd party IT service providers and other Business Associates. It is critical to confirm that Business Associate agreements are in place, are HIPAA compliant, and are being consistently reviewed.
Encrypt your EPHI. Encryption prevents sensitive information from being compromised in transit or at rest. It should be noted that in a potential breach event (compromise of privacy or security of PHI), the burden of proof is placed on the organization to systematically prove a low probability that the information was compromised. Simply said, “Guilty unless proven innocent”.
Finally, don’t underestimate the complexity of HIPAA compliance. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to stay in front of emerging threats. Consider hiring a compliance partner to help navigate the process by designing a customized approach based on your organization and tailored to meet your specific regulatory requirements and state statutes.
BlueOrange Compliance has been providing privacy and security assessments, remediation and guidance since the inception of HITECH, and has over 50 years of experience in technology security, compliance and healthcare. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.