This entry is part 15 of 27 in the series HIPAA Audit Tips

Preliminary OCR observations on the first proactive audits highlighted weaknesses in Privacy training, safeguards, policies & procedures, sanctions, training and mitigation.  Make no mistake about it, the HIPAA Privacy Rule is well within scope of the HITECH-mandated audits and the findings are interesting, but certainly not surprising.  Learn more!  Here’s today’s big tip – Do a Privacy Assessment!

Do a Privacy Assessment to Prepare for OCR HIPAA Audits and Investigations

Initial OCR Privacy Rule Audit FindingsAlthough most healthcare covered entities think they’ve got their act totally together when it comes to the HIPAA Privacy Rule, preliminary OCR observations from the first proactive audits highlighted serious weaknesses in privacy training, safeguards, policies & procedures, sanctions, training and mitigation.

Consistently, six of the typically 10 requirements of OCR Corrective Action Plans have included:

  • Develop and implement privacy & security policies and procedures;
  • Respond to incidents;
  • Train;
  • Implement sanctions for non-compliance;
  • Implement safeguards; and,
  • Monitor results.

Most breaches result from insider actions, not outside hackers suggesting you should do a Privacy Assessement

According to the recently-published Ponemon Institute 2012 Cost of Cyber Crime: US:

  • The most expensive type of cyber attack in the US accounting for 58% of all cyber crime costs annually: malicious insiders
  • The highest cost increase of a cyber attack by 66% since 2010: malicious insiders
  • The longest time to recover from a cyber attack averaging 57.1 days: malicious insiders

In the 2011 Ponemon study, only 30% of breaches resulted from criminal attacks. The remaining 70% were internally driven, including unintentional employee action, malicious insider and snooping.  Only 5% of the breaches on the HHS “Wall of Shame” are the result of “Hacking/IT Incident” or “Unknown”… 95%? Avoidable activities by workforce members: unauthorized access or disclosure, theft, loss, or improper disposal.

How many breaches could be avoided, or the risk reduced, by a focus on procedures, training, sanctions, safeguards, incident response and monitoring?

Privacy-violation complaints to HHS have increased over 40% since HITECH was enacted in 2009, and may reach 12,000 this year. The top four issues, virtually the exact list since 2003:

  • impermissible uses and disclosures;
  • lack of safeguards;
  • patient access; and,
  • more than the minimum necessary.

Among the corrective actions undertaken by organizations for complaint-driven investigations? revision of policies and procedures; retraining; disciplinary actions; mitigation of additional harm; re-position of log books, monitors and privacy screens.

Unlike security, privacy assessments are not required by the law–but that doesn’t mean it wouldn’t be smart to do one!

Actions You Should Take Now to Prepare for OCR HIPAA Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan

Please feel free to contact us to benefit from our expertise and help you jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk AnalysisHIPAA Audit Tips – Sample Notification of Findings and Recommendations Form from OCR HIPAA Audits >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.