The next round of HIPAA compliance audits is set to begin in Fall 2014. Unlike the previous audits, which saw an escalation in non-compliance penalties, this next round will have a more narrow focus and will not be done in person. Meticulous records are key to passing this round of scrutiny, says privacy attorney Adam Greene in an article on Healthcare InfoSecurity.
Unlike the in-person audits conducted in 2012, these “desk audits” will be performed by the Department of Health and Human Services' Office for Civil Rights (OCR) remotely, looking to quickly review documentation.
"Your documents really need to speak for themselves," says Greene, a partner at law firm Davis Wright Tremaine and a former OCR staff member.
"If you're a well-organized organization, I think these desk audits will make things significantly easier," Greene says. "On the other hand, if you're not a well-organized organization, this could be a bit tougher on you. OCR has indicated they are not going to do follow-up questions ... so you want your policies and procedures to tell a good story of your compliance. You won't have the same opportunity as [in the pilot program] to explain things to the auditors."
About 350 covered entities will be audited this Fall, with an additional 50 business associates audited in 2015. Audits will focus on specific areas of HIPAA compliance, including the HIPAA privacy rule, compliance with the HIPAA Omnibus breach notification rule, and the HIPAA security rule (particularly risk analysis). Organizations have about 2 weeks to submit information to OCR.
One of the benefits of Absolute Computrace is its foundational support for all activities related to Governance, Risk Management and Compliance (GRC) for the endpoint. With a persistent connection to each device, we are able to provide compliance reports and certificates in addition to security incident response and remediation. This means that, in the event of device theft, Absolute Computrace customers can remotely lock down devices and delete data, with an audit trail to prove that data has not been compromised. This is key to avoid data breach notification requirements and in providing this information easily and quickly to OCR.
With an expanded network of potential non-compliance, more audits, and higher penalties, IT departments need to employ proactive defensive strategies to improve data privacy and security. Absolute Software is currently offering a complimentary report from Gartner that examines the impact of the new HIPAA regulations and enforcement. “Gartner Report: As HIPAA Regulations Get Teeth, Healthcare Feels the Bite” includes insight on how to implement a risk management program, how to evaluate specific compliance activities based on advice from legal counsel, and the need to revisit security planning to ensure existing protocols are appropriate based on your HIPAA risk assessment.