On February 24, 2014, the Office of the Secretary, Department of Health and Human Services (HHS), announced plans to submit a new Information Collection Request (ICR) to the Office of Management and Budget (OMB) for public comment on the HIPAA Audit Program.
This information collection consists of a survey of up to 1200 HIPAA covered entities and business associates to determine suitability for the Office for Civil Rights (OCR) HIPAA Audit Program. The survey will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit. Information collected includes, among other things, recent data about the number of patient visits, use of electronic information, revenue and business locations.
OCR is mandated to conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security and Breach Notification Rules. This information collection will enable OCR to assess the suitability of respondent covered entities and business associates for audits.
In April 2013, OCR released its finding from the HIPAA compliance pilot audit that was contracted out to and conducted by KPMG. A couple of the security findings blatantly standout:
-
No complete and accurate risk assessments were found in 66% of the entities.
-
Common among across all entities was an unawareness of the requirements, including media movement and disposal and audit controls and monitoring.
What does this mean for solo and small practices and business associates that do not have all the complex regulation requirements in place? It is a warning shot to give your practice or business time to get its HIPAA compliance efforts in place. There is no doubt OCR is looking for every way it can to expand enforcement efforts. The pilot audit clearly identified the need for additional oversight.
What can you do now? Start by reviewing all the HIPAA Security basics found on the HHS website at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf.
Your practice or business HIPAA compliance priority list must include:
-
An up-to-date HIPAA Risk Management Plan that includes all security policies and procedures;
-
A recent HIPAA Risk Analysis;
-
Staff Security Awareness Training (during onboarding and as a periodic refresher);
-
The use of Business Associative Agreements.
For further assistance or guidance, please contact our HIPAA Security Compliance team at info@colingtonsecurity.com.