OCR: Be prepared for HIPAA audits

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/ocr-be-ready-hipaa-audits

When the Office for Civil Rights knocks on your door, asking about HIPAA
compliance, it pays to be ready. And OCR is looking to audit providers
ranging from large to small, and across a wide geographical distribution.

That’s according to OCR’s senior advisor for health information privacy
Linda Sanches. Speaking at the HIMSS Media and Healthcare IT News Privacy
and Security Forum in Boston on Tuesday, Sanches told attendees her best
piece of advice about preparing for audits is to actually be in compliance
and to conduct comprehensive risk analysis.

“If you don’t do a periodic risk analysis,” Sanches explained, “you won’t
know where you" stand.

While that advice may seem patently obvious, it’s something myriad
healthcare organizations are still wondering about and one attendee, in
fact, asked Sanches if they really need to conduct a risk analysis before
an audit, or if it makes more sense to wait.

Who to audit or investigate how much to fine
Sanches acknowledged that it requires heavy-lifting to perform such an
analysis but that it’s better to have one in hand than scramble and pull it
together come audit time.

What’s more, Sanches added that when deciding whether or not to audit a
provider or investigate a reported breach, OCR looks for patterns. So if
the office receives information about a given provider having several
similar breaches and it appears they are not doing anything about them,
that manner of evidence suggesting the provider is not in compliance or
does not have proper procedures set up would weigh heavily into OCR’s
decision.

“The onus is on you to prove you had the proper systems in place,” Sanches
explained. “If you did a comprehensive risk analysis and took the necessary
steps, that’s what you need to show us.”

Organizations that fail to do so are ripe not only for investigations but
also settlement fines, which range from, say $215,000 on the low-end right
up into the millions of dollars. Many industry observers are curious as to
how the recent Community Health Systems breach, involving some 4.5 million
patient records, will play out in terms of a fine.

The factors in determining the size of a fine are laid out in OCR’s rule,
Sanches said, including how much harm was done and how many provisions were
violated.

“The sky is not the limit,” Sanches said of fine totals. “It’s basic math.
How many people were affected?”

When do the audits start?
Sanches’ advice comes at a time when many in the industry are eagerly
awaiting answers to a pair of basic questions: How many covered entities
and business associates does OCR intend to audit — and when will it all
begin?

OCR originally planned to conduct 400 desk audits and “a large number of
on-site audits,” Sanches said. Now they’re looking at “fewer than 200 desk
audits” and she didn't confirm a specific number of on-site audits for
covered entities, but another wave of Business Associate audits will follow
those.

As for when OCR will kick-off the audits? Sanches said she had hoped to
announce that date here on Tuesday but OCR just isn’t ready yet.

“Stay tuned,” she said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!