I have been preaching for a while now that it would only be a matter of time before stepped-up enforcement by the government for the HIPAA Security Rule would begin. Well, it appears that time may be coming this fall.
In a recent article in Health IT Security, a spokesman for the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) indicated that final plans for implementing these new audits were being made. The plans include using both field and headquarters staff for the initiative.
OCR Director Leon Rodriguez has publicly stated that future audits will be narrower in scope but will include more organizations than ever before. He has said both covered entities and their business associates will be audited under the new permanent program that will focus on vulnerabilities.
Director Rodriguez will soon be leaving HHS to become the Director of U.S. Citizenship and Immigration Services at the U.S. Department of Homeland Security. How that will affect the future of HIPAA compliance enforcement remains to be seen. My sense is enforcement will continue full steam ahead.
OCR will pay closer attention to how a practice or business conducts its risk analysis. The risk analysis continues to be the primary foundation for compliance with the HIPAA Security Rule. Late last month, HHS released a security risk assessment tool to help providers with HIPAA compliance. There are a total of 156 questions in the tool that documents your answers. The tool guidance claims to serve as a local repository and does not send your data anywhere. Remember, this is a resource provided by HHS, and it is on the agency’s website. Enough said. You can obtain a paper version of the tool if you are concerned about privacy.
The risk assessment tool is a good way to at least recognize the requirements for HIPAA Security Rule compliance. The tool will not provide you a risk assessment or a risk management plan, both critical elements for compliance.
If your practice or business has been putting off getting its HIPAA house in order, now may be the time to start.
Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.
His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans. The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft.
Please contact Jay with any questions you have at jhodes@colingtonsecurity.com.