HIPAA Audits

HIPAA security audits will continue in 2013 and probably in the years to come. Shouldn’t you at least be familiar with their findings and prepare just in case?

Call me lazy if you must but with the all the new regulations (including the HIPAA Omnibus Rule), healthcare reform initiatives, meaningful use, changes in patients buying trends, social networking, etc. etc. I crashed this last Saturday. By crashing I mean I spend over 24 hours in bed without energy to move on Saturday. Then came the sniffles and the cough which had not allowed me to sleep over one hour straight in the last two days. Of course, as I’m writing this I’m not in my home with my “jamies” in bed but in Pennsylvania working with my oldest client.

Those of you that know me better, I promised I will take some time off this coming weekend when I get back home. But in the meantime there is too much to do so I wanted to share some quick bits of information.

We are well entrenched in the 2013 year and my crystal ball is telling me of plenty of opportunities as well as areas to be concerned about. The opportunities vary from Practice to Practice but today I will simply cover HIPAA Security. According to Leon Rodriguez (director of the Health and Human Services), covered entities have a mountain of work to do in the area of HIPAA compliance. In addition Mr Rodriguez states that the HIPAA audits are to resume and ramp up over 2013 with strong funding and renewed vigor.

To keep matters simple, HIPAA should be seen as two major areas: Privacy (Patient Information) and Security (Electronic Information). In reality HIPAA Security is exponentially more complex than HIPAA Privacy and so far I have not seen anyone complying with the requirements of the same.

Based on the 2012 audits the specific areas in need of work included but were not limited to:

  • Risk Analysis had never been performed
  • Non-existent Contingency Plans
  • Outdated or non-existent policies and procedures
  • Weak IT security I can add to that lack of training and risk analysis that didn’t meet the intent of the law.

As I said before I’m creating an online suit of products to meet some of these requirements. However, there are other actions that I would recommend:

  • Complete a risk assessment/analysis done. May as well do one for HIPAA Privacy as well.
  • Develop a written contingency plan for your IT system.
  • Update your policies. Your HIPAA Security Policies should at the very least cover each of the 44 implementation specifications. Also, take the time to update your OSHA, HIPAA Privacy and get one for Compliance as well.
  • After completing your gap/risk analysis –train your people

While the Government is having a hard time balancing the budget the same is not true regarding enforcement actions so don’t take chances. According to Mr Rodriguez “…I expect we are going to see monetary settlements for a long time to come…” So I should be back home next week so who wants to see me?