OCR Audits – Aegify https://www.aegify.com Comprehensive Security, Risk and Compliance Assurance Solution Tue, 31 May 2016 21:29:43 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 HIPAA Audit: OCR Is On The Move https://www.aegify.com/hipaa-audit-ocr-is-on-the-move/ https://www.aegify.com/hipaa-audit-ocr-is-on-the-move/#comments Tue, 29 Mar 2016 20:26:33 +0000 https://www.aegify.com/?p=2521 Last week, the HHS Office for Civil Rights (OCR) announced the launch of phase 2 of the HIPAA Audit Program. OCR’s goal is to proactively uncover and address risks and vulnerabilities to protected health information (PHI). Effective immediately, OCR will ensure Covered Entities (CEs), their Business Associates (BAs) and vendors have comprehensive risk management frameworks…

The post HIPAA Audit: OCR Is On The Move appeared first on Aegify.

]]>
Last week, the HHS Office for Civil Rights (OCR) announced the launch of phase 2 of the HIPAA Audit Program. OCR’s goal is to proactively uncover and address risks and vulnerabilities to protected health information (PHI). Effective immediately, OCR will ensure Covered Entities (CEs), their Business Associates (BAs) and vendors have comprehensive risk management frameworks in place.

CEs and BAs are required by law to implement the HIPAA security program and meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

Friends, this is serious business. Earlier this month, North Memorial Health Care of Minnesota settled potential HIPAA violations with OCR for $1.55 million.  Click to read OCR’s 3/16/16 press release.

Can you withstand a fine or settlement of this amount?

CEs and their business associates are protected with Aegify RSC Suite, or alternatively through a combination of Aegify Risk Manager, Aegify Security Manager, Aegify Compliance Manager and Aegify BA-Vendor Manager. It’s easy to get started. Contact sales@aegify.com.

Click to read OCR’s 3/21/16 press release.

Thank you,
The Aegify Team

 

The post HIPAA Audit: OCR Is On The Move appeared first on Aegify.

]]>
https://www.aegify.com/hipaa-audit-ocr-is-on-the-move/feed/ 5
Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 https://www.aegify.com/tips-to-avoid-hipaa-audits-2015/ https://www.aegify.com/tips-to-avoid-hipaa-audits-2015/#comments Thu, 12 Feb 2015 09:42:57 +0000 http://www.egestalt.com/blog/?p=931 Irrespective of the industry, the digital era demands protection of employee privacy and particularly the healthcare information as a vital obligation on the part of every employer. While the governments have designed HIPAA and HITECH laws to effectively manage this information, remaining compliant to these regulations is a daunting challenge in the world of cyber…

The post Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 appeared first on Aegify.

]]>
Irrespective of the industry, the digital era demands protection of employee privacy and particularly the healthcare information as a vital obligation on the part of every employer. While the governments have designed HIPAA and HITECH laws to effectively manage this information, remaining compliant to these regulations is a daunting challenge in the world of cyber criminals.

The past year had seen enterprises and individuals from various industries falling prey to data breaches and HIPAA compliance failures more so from the healthcare industry. The office for Civil Rights (OCR) has therefore taken stern steps to ensure privacy and security of data across enterprises in 2015. Since the OCR wants to ensure that enterprises, medical practitioners, their business associates and covered entities take proactive steps to ensure compliance to Health Insurance Portability and Accountability Act, they intend to use HIPAA audit Program randomly across enterprises to check for compliance levels. With HIPAA audits in the horizon, enterprises need to institute smart practices and be audit ready.

The increase in HIPAA audits is a part of a stimulus and any complaint of security breach that involves more than 500 people are sure to trigger an audit. So even employers across other industries also need to take proactive steps to be compliant to these regulations, without which they are also liable to hefty fines.

Understanding some of the common pitfalls will help enterprises to avoid the same during HIPAA audits of 2015. These mistakes include:

  • Non-compliance with the Security Rule by not updating and encrypting documents and overlooking associate agreements.
  • Failures to implement security risk assessment and compliance programs that help employees understand the need for security of PHIs which include vital information and payment card data.
  • Non-establishment of security programs that will ensure proactive monitoring of security and performance indicators and failure to continuously train and retrain employees with critical access on documenting processes of the vital data and EHR
  • Failure to update Privacy Practices
  • Ignoring privacy laws that interact with HIPAA

With OCR using HIPAA audit program to randomly assess covered entities and their business associates for compliance with the HIPAA privacy, security and breach notification rules, they must have a proactive approach to audits. As a step towards this, enterprises need to ensure that their plan is documented and well communicated across the various entities across the organization.

With regulators favouring a risk-based approach, enterprises need to make use of Security and Compliance programs such as Aegify, that will help them evaluate the risks and vulnerabilities in their environments. While this will implement security controls that will address these issues it will also prepare their business to face OCR as and when it reaches them.

The post Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 appeared first on Aegify.

]]>
https://www.aegify.com/tips-to-avoid-hipaa-audits-2015/feed/ 2
Why Data Breaches are reported after Vendor Disputes? https://www.aegify.com/vendor-disputes-leads-to-breach-notification/ https://www.aegify.com/vendor-disputes-leads-to-breach-notification/#respond Wed, 04 Feb 2015 06:20:59 +0000 http://www.egestalt.com/blog/?p=923 For the technology dependent business world, the use of digital data has not only enabled ease of data transfers, storage and data accessibility from any location and device, but has also made them vulnerable to data breaches. Following the legal dispute between Texas Health and Human services Commission and its former contractor Xerox, the state…

The post Why Data Breaches are reported after Vendor Disputes? appeared first on Aegify.

]]>
For the technology dependent business world, the use of digital data has not only enabled ease of data transfers, storage and data accessibility from any location and device, but has also made them vulnerable to data breaches.

Following the legal dispute between Texas Health and Human services Commission and its former contractor Xerox, the state agency reported a data breach which affected 2 million individuals. This data breach added to the already existing number of breaches on “wall of shame” of the Dept. of Health and Human Services, which increased the count to 1,167 incidents and affected nearly 41.3 million individuals. With HIPAA breach notification rule being effective since 2009, most of these incidents involved business associates. However, with the HIPAA Omnibus Rule coming into effect business associates and subcontractors have now liable to maintain HIPAA compliance.

Texas HHSC reported the data breach incident as one of unauthorized access or disclosure. While this is believed to have involved electronic records of 2 million individuals this included their birth dates, Medicaid numbers, and medical and billing records related to care provided through Medicaid, reports, diagnosis codes as well as photographs. Even as Xerox takes data security very seriously with data protection measures, the covered entities also need to have in place information security risk analysis and contingency planning. Such proactive measures will help them be prepared to face any issues of business associate destroying protected health information.

Moreover, with OCR enforcing HIPAA, the business associates also need to spell out how they would safeguard the protected health information along with their covered entities. Further, under the HIPAA Omnibus rule, the covered entities need to report any security incidents which are presumed to be data breach cases until the risks are low as per the analysis.

Conclusion
Nevertheless, in the technologically enabled business world that uses portable devices and BYOD options for accessibility, data breaches may be caused due to lost or stolen devices without encryption. The use of comprehensive security solutions such as Aegify Security Posture Management or Aegify Risk Management will healthcare providers and their business associates to keep data threats at bay and maintain periodic risk analysis throughout their life cycle.

The post Why Data Breaches are reported after Vendor Disputes? appeared first on Aegify.

]]>
https://www.aegify.com/vendor-disputes-leads-to-breach-notification/feed/ 0
Facing OCR Audits with Confidence https://www.aegify.com/facing-ocr-audits-with-confidence/ https://www.aegify.com/facing-ocr-audits-with-confidence/#respond Thu, 15 Jan 2015 04:09:47 +0000 http://www.egestalt.com/blog/?p=908 Reports healthcare data breaches have reached a near 138%. The Department of Health and Human Services’ Office for Civil Rights therefore unveils its second round of audit program. Unlike the previous ones, this time the OCR is looking to conduct audits across all high-risk areas. While this eliminates on-site visits, they are looking towards potentially…

The post Facing OCR Audits with Confidence appeared first on Aegify.

]]>
Reports healthcare data breaches have reached a near 138%. The Department of Health and Human Services’ Office for Civil Rights therefore unveils its second round of audit program. Unlike the previous ones, this time the OCR is looking to conduct audits across all high-risk areas. While this eliminates on-site visits, they are looking towards potentially integrating the audits into OCR’s formal enforcement program.

While the audits for HIPAA compliance have become more common, many of the healthcare providers are not still effectively prepared for an audit. These healthcare providers and their business associates may therefore face serious consequences during the next round of OCR audits. What the healthcare providers need to understand is that while the Office of civil Rights is not out to get them, they definitely expect the healthcare enterprises to faithfully take good efforts to protect their vital patient data. Even after two years of 2012 OCR pilot program audits, the covered entities and business associates need to look for more effective measures to protect themselves and not fall victims to past mistakes.

In fact with technology being integrated into the audit process, the healthcare providers need to learn from their past mistakes and be ready to face the OCR audits. The 2012 OCR audits helped to expose the gaps in the healthcare compliance such as:

  • Minimum to near to nil protection with absence of even the basic security tools and methods to identify vulnerabilities leading to exposure of patient data
  • Clueless about the identification of data location while allowing anywhere any time access to the data from various hand held devices.
  • Unavailability of training sessions for employees or techniques for data monitoring and reporting of data breaches.

Since the department of health and human services has recorded more than 500 cases of data breaches effecting 33 million PHI’s in its wall of shame, the covered entities and their business associates need to understand that OCR audits act as a vehicle to help them efficiently monitor HIPAA regulatory compliances. However, as first step to the process, these establishments need to conduct a risk assessment to identify areas of vulnerabilities.

Nevertheless, with HIPAA dictating the need to protect PHI’s, the covered entities and their business associates need to deploy more strategic methods that will help them identify the risks faced by their data. Deploying comprehensive security management solutions such as Aegify Security Posture Management and Aegify Secure GRC will help these healthcare providers face the OCR audits with confidence.

The post Facing OCR Audits with Confidence appeared first on Aegify.

]]>
https://www.aegify.com/facing-ocr-audits-with-confidence/feed/ 0
OCR Audits Begin- It’s Time for the Acid Test! https://www.aegify.com/ocr-audits-begin-its-time-for-the-acid-test-2/ https://www.aegify.com/ocr-audits-begin-its-time-for-the-acid-test-2/#comments Tue, 15 Nov 2011 05:47:08 +0000 http://www.egestalt.com/blog/?p=140 You may have been doing a lot to ensure information security and compliance in your organization. But that´s really not enough- because it´s now time to prove your compliance with security and breach notification rules, to the OCR audit team. The audit protocols were developed by KPMG under the $9 million contract which was announced…

The post OCR Audits Begin- It’s Time for the Acid Test! appeared first on Aegify.

]]>
You may have been doing a lot to ensure information security and compliance in your organization. But that´s really not enough- because it´s now time to prove your compliance with security and breach notification rules, to the OCR audit team. The audit protocols were developed by KPMG under the $9 million contract which was announced in July, and up to 150 audits are scheduled to be conducted by end of 2012.

Beginning with 20 “initial” audits the new protocols are to be tested, and the results of these initial audits will determine how and when the remaining audits will be conducted. The new OCR webpage, which carries information on the audit program, states that in the initial round, covered entities of various sizes and functions will be audited, and that business associates will be included in the later audits. The website states that covered entities are expected to extend complete support and cooperation, and also reminds them that the HIPAA Enforcement Rule makes cooperation mandatory.

The initial audit reports from KPMG will be used by OCR to determine what types of technical assistance need to be developed and what are the corrective actions that will prove most effective.

While OCR does not explain how entities will be selected for the audit, you can expect a written notification when your organization has been selected. This notification will also explain details of the program and include initial requests for documentation and information, which have to be provided within 10 business days. Following this, you can also expect a site visit between 30 and 90 days after the notification has been sent.

So are you prepared to face the acid test? How compliant is your entity? How effective are your security policies and protocols? Have you been adequately documenting proof of compliance? It´s time to do a reality check. Our security and compliance solutions have been specifically designed to meet this purpose. While SecureGRC is a completely automated solution which allows you to seamlessly manage compliance and security requirements, the automated HIPAA compliance management toolkit helps you effortlessly meet audit requirements by dramatically simplifying the process.

The post OCR Audits Begin- It’s Time for the Acid Test! appeared first on Aegify.

]]>
https://www.aegify.com/ocr-audits-begin-its-time-for-the-acid-test-2/feed/ 1