This entry is part 18 of 27 in the series HIPAA Audit Tips

Healthcare IT News and HIMSS Media joined forces to create and hold The Privacy & Security Forum on December 12-13, in Boston.  Among other speakers, Leon Rodriguez, head of the Office for Civil Rights (OCR), spoke and was interviews by Healthcare IT News in a brief 7 1/2 minute segment that’s well worth the listen.   The event and interview provided great insight into next enforcement activities and plans by the OCR.   Here’s today’s big tip – Listen to Leon’s comments about risk analysis!

HIPAA Audit Tips – Good grief, get that risk analysis completed!

Here’s the great interview of Leon Rodriquez by Marianne Kolbasuk McGee.

Following are some notes made by our Clearwater Compliance team that attended the The Privacy & Security Forum

  • The question was asked what OCR is looking for during audits – Leon stressed that what they are looking for is an adherence to a process regarding compliance. There is no silver bullet (one solution), but a process of compliance and being consistent in approach toward compliance.
  • The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.
  • If you do not use encryption and do not find, document and present an alternative that is acceptable – big problem.
  • When asked what he would suggest entities focus on Leon said besides encryption, people is the next big area of focus to avoid breach – administrative and physical safeguards. He specifically mentioned in addition to training people, that employees stealing PHI is an issue.
  • What is focus for OCR in future – much more support for voluntary enforcement. Funding from fines/penalties will fuel future enforcement and restitution.
  • They are working on how to make audits more robust – they are planning more audits in the future – higher fines/penalties will fund more audits.
  • Monetary fines/penalties have been growing each year with last year being the highest so far. This year projected even higher.
  • He made a point that a small % of breaches result in monetary penalties.
  • Leon said he is confident that there are a lot of “reportable” breaches not being reported. He said they will find them….sounded pretty confident!
  • Another big issue Leon has seen from audits – lack of conducting activity monitoring
  • Stressed need for BA’s to get compliant – they will have only 180 days from final rule. It is coming.
  • Leon’s response to question about will future audits follow KPMG model? They are working on it. May take an approach like OIG where they focus on, say, risk analysis for 2013 or another hot area.
  • Part of OCR’s future audit business plan will be based on analysis of the current audit results.
  • When asked what differentiates compliant v. non-compliant entities, Leon said leadership toward culture of compliance inside the entity is major differentiator.

Proven HIPAA Audit Tips – Actions You Should Take Now to Prepare for OCR HIPAA Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan

Please feel free to contact us to benefit from our expertise and help you jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Notification of Findings and Recommendations (NFR) ReportHIPAA Audit Tips – Know What De-Identification of PHI Really Means >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.