It should no news to anyone: The Office for Civil Rights is poised to beef up, “ramp up” and shake up its HIPAA audit program. And, although they’re not out knocking on doors at full force now, don’t be surprised to find audit officials circling your neighborhood later this year.
Or so promised Susan McAndrew, deputy director for OCR’s health information privacy, who spoke at HIMSS14 this past February.
“We are very committed to getting the audit process back in the field after this hiatus of thought and design concerns,” said McAndrew. “In the coming months, you’ll begin to see some actual activity from our office.”
In how many months? No one really knows, or, if they do, they’re not sharing. McAndrew did not clarify as to when exactly the official audit program was to kick off, and inquiries to OCR also yielded an unwillingness to elucidate: People “can anticipate that OCR will announce the audits publicly in advance,” said OCR spokesperson Rachel Seeger. “I regret that we cannot share more details at this time.”
A fall 2013 report published by the Office of the Inspector General highlighted funding limitations at the crux of why the OCR official audit program has yet to move forward.
However, OCR just this February indicated it would be sending out a pre-audit survey to up to 1,200 HIPAA-covered entities, collecting data surrounding their use of electronic information, revenue and business locations some time after April 25, a telltale sign things are least moving in the forward direction.
Don’t get too relaxed, though. One thing very much going strong and will continue to do so, McAndrew pointed out, is HIPAA privacy and security enforcement.
Just in 2013, HIPAA-covered entities were fined $3.7 million for violating privacy and security rules.
To date, OCR has handed out $18.4 million in fines to 18 HIPAA-covered entities found to have disregarded patient privacy.
Most recently, in March, Skagit County, Wash., was ordered to pay $215,000 after electronic protected health information of nearly 1,600 patients had been accessed because the PHI was put on a publically accessible server. It was the first time a penalty was assessed against an entire county government.
From OCR’s 2012 audit program, one of the biggest oversights by HIPAA-covered entities was failing to perform adequate risk analysis and then subsequently applying the results of that analysis, OCR officials pointed out.
In addition to implementing thorough risk analyses, encrypting portable devices and having robust privacy and security policies in place, James Wieland, principal in Ober|Kaler’s health law group, said one huge item hospitals need to look out for is user settings. “You’ve got to be careful to control and monitor what settings your sweet innocent users can alter, and turn them off if they’re not appropriate,” he said at HIMSS14 in Orlando.
A HIMSS survey released this February showed that employee snooping on patients’ medical records was the top threat motivator.
Recognizing inappropriate data access by insiders as an area at risk of a security breach, healthcare groups have been increasingly utilizing several key technologies related to employee access to patient data, including user access control and audit logs of each access to patient health records, according to the report.
Just this past December, the five-hospital Riverside Health System in Southeast Virginia notified 1,000 of its patients they were affected by a HIPAA breach after discovering one of its employees had been snooping on patient records for four years.
As OCR’s McAndrew pointed out, they’re in this for the patients. “We’re interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses.”
And that, she concluded, they will continue to do.
