In Part 2 of this three-part series, we took a deep look into the preliminary HIPAA Audit findings and observed the most common infractions identified by OCR. Specifically, security gaps accounted for the majority of results, with the lack of risk assessments and inadequate mobile device security being two of the most cited weaknesses. Fortunately for those selected in the 2012 pilot phase of the audits, OCR was primarily focused on using the exercise to educate covered entities of serious HIPAA issues. That is unless a provider exhibited willful ignorance of the HIPAA regulations, criminal and civil penalties were mostly left off of the table. Unfortunately, when the audit program extended in 2014, this free pass will no longer be available. To repeat: If your organization is audited in the future and is shown to be violating HIPAA, there will be severe penalties issued.
However, providers still have some time to tighten up processes before the inevitable HIPAA audit. Conscientious covered entities who pay heed to OCR’s recommendations and respond accordingly will help themselves build up the most goodwill. So what should they do?
Above all else, covered entities should conduct frequent (at least annually) internal risk assessments. In addition to being required under the HIPAA Security Rule, conducting a regular risk assessment is a great practice to get into; by systematically observing all of the potential places where PHI can be accessed and developing a plan to correct any gaps, a provider dramatically decreases the chances that its patients’ information can fall into the wrong hands. HHS has provided guidance on how to conduct a risk assessment. This isn’t something that needs to be outsourced to pricey consulting firms; rather, providers are encouraged to self-administer their assessments to analyze their security risks adequately.
Performed correctly, a risk assessment should allow a covered entity to uncover weaknesses in their HIPAA compliance that were also highlighted by OCR in the pilot audits. One such concern is how an entity limits PHI from being stored on unsecured mobile devices. If you are a hospital administrator who allows provider employees store pieces of patient information on laptop computers, removable hard drives, smartphones, or any other mobile device, OCR is going to ask you to provide your device and media control documented plan. As with any other required implementation specification, the absence of this document will lead to strict monetary penalties.
In August, OCR is expected to come out with some additional guidance for those who will be subject to a HIPAA audit in the future. You can be sure that they will once again underscore the importance of putting together a risk assessment and an associated documented plan. The HIPAA enforcement agency does not expect complete HIPAA compliance on each and every regulation buried in the thousands of pages of text, but it does expect all entities to have the foundational HIPAA compliance element of a risk assessment in place. Conducting regular assessments will take providers a very long way in passing the dreaded HIPAA audit.