Are you ready for the second round of HIPAA audits?

Posted: Jul 11, 2014
Share This:

Speaking at the American Bar Association Physician Legal Issues Conference last month, Jerome Meites, a chief regional civil rights counsel at the Department of Health and Human Services (HHS), reaffirmed the importance of ensuring all laptops and other portable devices are fully secure. Claiming “Portable media is the bane of existence for covered entities. It causes an enormous number of the complaints that OCR deals with”, Meites placed risk analysis at the core of his presentation, stating “everywhere in your system where [patient information] is used, you have to think about how to protect it“.

This fall, the Office of Civil Rights (OCR) will begin conducting the next round of HIPAA audits. Reported to be more targeted than the previous audit, for many healthcare providers it may be too late to avoid further scrutinization. Already this year HHS has handed out monumental fines to covered entities failing to meet the regulations set out in the HIPAA Privacy and Security Rules. The costly penalties are a sharp reminder for the healthcare industry to consider PHI at every stage of handling – from a technical, physical and organisational perspective.

As the next wave of inspection looms here are a few ways healthcare providers can work towards HIPAA compliancy:

  • Identify the risks

Perform a risk analysis! A thorough risk analysis is crucial. It will help you to identify any threats or vulnerabilities surrounding PHI. We would recommend you frequently update your risk analysis – annually at the very minimum.

  • Tie up any loose ends

Once you have carried out your risk analysis be sure to implement any necessary security measures to secure sensitive data.

  • Choose your Business Associates (BAs) wisely

Using third-party vendors is commonplace, however covered entities must ensure that all BAs can guarantee HIPAA compliancy. For more information on choosing BAs, click here.

  • Consider the security of both physical and electronic documents

The needs of businesses and healthcare professionals has changed. Paper handling and physical document storage has dwindled alongside the rise of the cloud and BYOD workforce. Keep track of where and how documents are stored to avoid embarrassing mistakes.

  • Keep your policies and procedures up to date

You can avoid problems by ensuring your breach notification policies and procedures, and Notice of Privacy Practices are up to date. That way you’ll be prepared should a breach occur or an individual request access to their PHI.

Remember, whether you’re a solo practitioner or a healthcare professional within a larger organization, it is vital you analyze risks surrounding sensitive data, adopt safeguards, and extend that knowledge to anyone in your business who stores, processes or has access to PHI.