IT | Security

HIPAA Audits: Taking Steps for Success

By: Absolute Editorial Team | 10/15/2014

The Department of Health and Human Services' Office for Civil Rights (OCR) has been planning a new round of “desk audits,” and healthcare organizations have been advised to conduct a comprehensive risk analysis and to be prepared for these audits. The more you are in compliance, and can prove compliance, the better your chances of coming through an audit successfully. As has been mentioned before, meticulous records are key to HIPAA audit success.

Speaking in September at the HIMSS Privacy and Security Forum, OCR’s senior advisor for health information privacy, Linda Sanches, shared her thoughts on HIPAA audits with Healthcare IT News. To clarify, Sanches says that risk analysis should be done before an audit, not after:

“If you don’t do a periodic risk analysis, you won’t know where you stand,” Sanches noted.

In the event of a breach, Sanches explains that “the onus is on you to prove you had the proper systems in place. If you did a comprehensive risk analysis and took the necessary steps, that’s what you need to show us."

One of the benefits of Absolute Computrace is its foundational support for all activities related to Governance, Risk Management and Compliance (GRC) for the endpoint. With a persistent connection to each device, we are able to provide compliance reports and certificates in addition to security incident response and remediation. This means that, in the event of device theft, Absolute Computrace customers can remotely lock down devices and delete data, with an audit trail to prove that data has not been compromised. This is key to avoid data breach notification requirements and in providing this information easily and quickly to OCR.

For more on the current state of HIPAA and how it impacts healthcare organizations, we offer the following resources:

  • A complimentary report from Gartner: As HIPAA Regulations Get Teeth, Healthcare Feels the Bite. This report includes insight on how to implement a risk management program, how to evaluate specific compliance activities based on advice from legal counsel, and the need to revisit security planning to ensure existing protocols are appropriate based on your HIPAA risk assessment.
  • Stephen Treglia again takes a look at the regulatory landscape of compliance penalties and class action damages in our webinar on the Healthcare Budget Crisis
  • Another complimentary report from Gartner, Top Actions for Healthcare Delivery Organization CIOs: Get Realistic about HIPAA Security, looks at how to move accountability for information security and privacy up to the board level by leveraging the increasing public attention to privacy breaches.