Preliminary OCR observations on the first proactive audits highlighted weaknesses in Privacy training, safeguards, policies & procedures, sanctions, training and mitigation. Make no mistake about it, the HIPAA Privacy Rule is well within scope of the HITECH-mandated audits and the findings are interesting, but certainly not surprising. Learn more! Here’s today’s big tip – Do a Privacy Assessment!
Do a Privacy Assessment to Prepare for OCR HIPAA Audits and Investigations
Although most healthcare covered entities think they’ve got their act totally together when it comes to the HIPAA Privacy Rule, preliminary OCR observations from the first proactive audits highlighted serious weaknesses in privacy training, safeguards, policies & procedures, sanctions, training and mitigation.
Consistently, six of the typically 10 requirements of OCR Corrective Action Plans have included:
- Develop and implement privacy & security policies and procedures;
- Respond to incidents;
- Implement sanctions for non-compliance;
- Implement safeguards; and,
- Monitor results.
Most breaches result from insider actions, not outside hackers suggesting you should do a Privacy Assessement
According to the recently-published Ponemon Institute 2012 Cost of Cyber Crime: US:
- The most expensive type of cyber attack in the US accounting for 58% of all cyber crime costs annually: malicious insiders
- The highest cost increase of a cyber attack by 66% since 2010: malicious insiders
- The longest time to recover from a cyber attack averaging 57.1 days: malicious insiders
In the 2011 Ponemon study, only 30% of breaches resulted from criminal attacks. The remaining 70% were internally driven, including unintentional employee action, malicious insider and snooping. Only 5% of the breaches on the HHS “Wall of Shame” are the result of “Hacking/IT Incident” or “Unknown”… 95%? Avoidable activities by workforce members: unauthorized access or disclosure, theft, loss, or improper disposal.
How many breaches could be avoided, or the risk reduced, by a focus on procedures, training, sanctions, safeguards, incident response and monitoring?
Privacy-violation complaints to HHS have increased over 40% since HITECH was enacted in 2009, and may reach 12,000 this year. The top four issues, virtually the exact list since 2003:
- impermissible uses and disclosures;
- lack of safeguards;
- patient access; and,
- more than the minimum necessary.
Among the corrective actions undertaken by organizations for complaint-driven investigations? revision of policies and procedures; retraining; disciplinary actions; mitigation of additional harm; re-position of log books, monitors and privacy screens.
Unlike security, privacy assessments are not required by the law–but that doesn’t mean it wouldn’t be smart to do one!
Actions You Should Take Now to Prepare for OCR HIPAA Audits
We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:
- Establish a formal Privacy and Security Risk Management & Governance Program (45 CFR § 164.308(a)(1))
- Complete a HIPAA Security Evaluation (45 CFR § 164.308(a)(8))
- Complete a Privacy Rule compliance assessment (45 CFR §164.530)
- Complete a Breach Rule compliance assessment (45 CFR §164.400)
- Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
- Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
- Document and act upon a corrective action plan
Please feel free to contact us to benefit from our expertise and help you jump-start your program.
Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.
Wanna be even more ready for an audit or hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Subscribing to our eNewsletter: https://clearwatercompliance.com/resources/newsletters/
- Checking our company web site: http://clearwatercompliance.com/
- Attending a HIPAA HITECH live webinar: http://abouthipaa.com/webinars/upcoming-live-webinars/
- Viewing a pre-recorded webinar: http://abouthipaa.com/webinars/on-demand-webinars/
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016