Cybersecurity Threats

The American Interest

Enterprise Mobility and Security

Azure Security

Scaling Apps Using Azure

2016 HIPPA Audits: What to Expect and How to Prepare

HIPAA regulated Healthcare organizations and business associates are under pressure to ensure they’re prepared for the upcoming US Department of Health and Human Services Office for Civil Rights audits.  Selected Health organizations will need show their compliance with HIPPA security, privacy and breach notification requirements. This is the second phase of HIPAA auditing but it still leaves many organizations uncertain of what it will mean for the performance of their business if they are selected. Many are concerned about the ramifications of not satisfying the audit requirements.

The OCR is set to review a selection of HIPAA covered entities which include small medical practices, midsize and large integrated delivery networks, and business associates. Those that are selected must provide documentation and details on their current processes, controls and policies to confirm they are in line with HIPAA requirements. The evaluation can be done in a few different ways. Some covered entities may be required to meet face-to-face with the third-party auditors selected by OCR, while others will be requested to provide all required documentation electronically and receive remote interactions.

Getting your organization ready for the potential audits is crucial. Here are some suggestions on what to expect and how to prep your organization.

What to expect:
The Department of Health and Human Services (HHS) has published the protocol to be used during HIPAA audits on its website. The quantity of listed requirements may seem overwhelming, especially for small to midsize physician practices.

How to prepare:
Take time to learn and understand what’s required of your organization by HIPAA. A third-party compliance consultant can help interpret some of the more complex HIPAA regulations and reduce stress on internal employees. By understanding what the guidelines are, an organization can then ensure they have prepped the proper documentation to prove their HIPAA-compliant status and, more importantly, taken steps to secure protected health information.

Potential challenges:
There are some critical processes and procedures that must be documented and reviewed to demonstrate how an organization is protecting patient data, from both administrative and technical standpoints. Large healthcare entities generally have dedicated security and compliance resources available to them.
Smaller medical groups are challenged by their lack of resources in comparison to their larger counterparts. Many smaller groups are aided by third-party technology vendors that may not have sufficient understanding of HIPAA protocols to establish that appropriate documentation is kept and staff members receive ample training.

Stay Ready:
Healthcare groups, business associates and covered entities should ensure that their ongoing HIPAA compliance efforts stay updated and in line with HHS and OCR requirements. Create a long term, continuous plan because even when their systems and industry regulations change, organizations must protect all of their patients’ data. For those that have not recently evaluated their HIPAA compliance, it is highly recommended that they do so soon and make it a recurring task.

HIPAA covered entities should always be aware of their compliance status, not just when auditors are knocking at their door. HIPAA audits are here to stay, and this year is likely to be a preview of future rounds of audits to happen in the next few years. While some are confident about facing their auditors, others will be forced to address gaps in their compliance and be hit with financial penalties. On top of the penalty they’ll have to pay for remedying the issues identified during the review process. In the meantime, all covered entities should pay close attention to what some of the groups audited before them have to say about their experience.

How Obama’s HIPAA Modifications for Gun Control Will Impact Health IT

For years, the US has endured a series of disturbing and violent shootings, mainly at the hands of mentally unstable persons. These mass shootings have sparked debate over what the country should do, if anything, to reduce gun violence. No matter which side of the gun control debate you’re on, most rational people will agree that guns should not be getting in the hands of people who have mental health conditions. Rather, those people should be getting help from the many qualified professionals existing in our mental health system. Thankfully, the Brady Gun Law has already been in place but stricter requirements and background checks are clearly needed.

On Jan. 4, the Obama Administration announced their new strategy to reduce gun violence. These actions are mostly focused on closing loopholes, including requiring background checks at gun shows and online, with the ultimate goal to diminish gun violence. The new executive actions, which include a new $500 million investment to help engage individuals with serious mental illness in care, will be a major focus of the mainstream media. For those of us in the health IT world, though, it was an amendment to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that will affect us.

While limited in its design, it’s still a step in the right direction. An HHS (Department of Health and Human Services) press release on the final ruling notes, “The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their States to report this information to NICS – and it allows such entities to report only limited identifying, non-clinical information to the NICS. The rule does not apply to most treating providers and does not allow reporting of diagnostic, clinical, or other mental health treatment information.”

Furthermore, identifying patient information will be needed to complete the background check, and it needs to be made easier and clearer on how HIPAA covered entities can share this data. Obama’s amendment will help accomplish that goal. However, some medical professionals have expressed concern that the change will discourage people from seeking treatment. Indeed, while the patient-provider relationship is one that should certainly be respected, it is more important to potentially save lives by providing these mental health records to the people who need them.

So how do Healthcare IT teams prepare for the new law? While we’re still waiting for further information, medical organizations need to begin to prep their security infrastructures. Access to sensitive information will now need to be made available while still providing security to the overall database. Working with consultants such as Gordian Dynamics, will help your Health organization create and execute a plan that will enable you to be ready for the new laws.