Are you set for the new rules for HIPAA compliance? Audits are being stepped up by the Government.
There’s a lot of buzz right now about cyber security in healthcare with growing evidence of government leaders to pushing for breach penalties at the same time. What can you expect as the government changes and updates its rules, and brings a new focus on compliance? Audits. More rule changes. Enforcement. The bottomline is privacy through security.
Take audits, for example. We note that Ashburn, Virginia-based FCi Federal has been picked as a new auditing vendor, OCR confirmed to FierceHealthIT. “Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and our technical assistance to ensure that we’re addressing the most common problems.” OCR Director Jocelyn Samuels commented.
Two recent reports from DHS — Department of Health & Human Services — Office of Inspector General (OIG) have criticized OCR’s poor oversight of HIPAA covered entities, breach followup efforts. Both reports were issued in September of this year and one focuses on Oversight of Covered Entities’ Compliance (PDF); and the other takes a look at why “OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities” (PDF).
No more playing nice? The report calling for strengthening OCR oversight on breaches concludes:
OCR should (1) fully implement a permanent audit program; (2) maintain complete documentation of corrective action; (3) develop an efficient method in its case-tracking system to search for and track covered entities; (4) develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and (5) continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations and described its activities to address them.”
And the auditing and crackdown on HIPAA requirements isn’t just limited to healthcare providers. In an article entitled “Business Associates: The Next HIPAA Enforcement Target” at Healthcare Info Security, attorney Adam Greene of Davis Wright Tremaine, emphasizes that, “there is probably [enforcement] work going on behind the scenes” related to business associates, he says. “What we tend to see for settlement agreements is, on average, two to three years between an incident occurring – such as a reportable breach to OCR – and then the resolution agreement will come out.” The Revenue360 system and other solutions offered by the SSI Group, it’s parent company, are compliant with all HIPAA requirements for business associates, we’re pleased to report.
Increase security, gain compliance, and avoid fines.
And that probably signals a role change for at least some on IT security teams. In the Journal of AHIMA, we find this observation about the “evolution” of the “privacy officer”, “The transition from the role of a privacy officer to the role of a chief information governance officer isn’t going to happen overnight but I would argue the skill set is there if we are willing to take the risk and get out of our clinical comfort zone, we will work our way beyond HIPAA to projects like enterprise social media policy, mobile device management, protection of intellectual property, and IG workforce awareness.”
Helping you achieve these compliance goals is what our practice at Eagle is all about. Eagle Consulting Partners is pleased to offer a series of HIPAA Policy templates that save your management team time and money by matching the business processes of a cloud computing vendor to compliance requirements. We also provide templates for physician’s practices, and of course are available for meaningful use security measures consulting. Now is a good time to update your healthcare cyber security procedures.
