HIPAA Audits- Timeline & Insights

The results of the 115 HIPAA compliance audits conducted as part of the pilot project last year are being evaluated, said Susan Mc Andrew of the Department of Health and Human Services’ Office for Civil Rights, and the HIPAA compliance audit program will not resume until after the current fiscal year ends. The evaluation is expected to act as a helping guide to determine where to focus more efforts.

While the audit program has so far made a good impact proving to be a fruitful approach to gauging and ensuring compliance, OCR is yet to determine precisely when the program will resume or how large it will be. In an interview with Healthcare Info Security, Mc Andrew offers useful insights about what’s ahead for HIPAA audits.

Highlighting the fact that organizations still have a long way to go when it comes to privacy and security, Mc Andrew said that only a small number of audits last year came away with no findings. She also stresses the importance of carefully assessing risks and safeguarding patient information and urges healthcare entities to make risk assessment, policies, and procedures up-to-date.

Insights Gained From HIPAA Audits

Although the audit results are still being assessed, according to Mc Andrew, one obvious take away is that organizations still have a lot of work to do to comply with both the privacy and security rules, and now is a good time for healthcare entities to turn their attention towards the immediate steps to be taken to ensure compliance.

Secondly, she also points out that organizations have to pay attention to whether security standards are being met. That would mean risk analysis and assessment to make sure all vulnerabilities are addressed. Thirdly, according to Mc Andrew, the audits also indicate that smaller entities are the ones struggling most to comply with both privacy and security requirements.

Addressing Encryption

Speaking about encryption, Mc Andrew pointed out that at least 15% of the audited organizations had neither implemented encryption, nor documented why encryption was not needed. While the security rule provides flexibility for cases where encryption is not reasonable and appropriate, it necessitates documenting the reason why it is not reasonable and appropriate, alongside documenting the alternate method used for securing information. However, it was found that a number of organizations had not only failed to encrypt but had also not documented the reason nor implemented equivalent means of protection.

Mc Andrew stressed that breaches due to loss/theft of storage/mobile devices were common, and in cases where such a loss/theft involved unencrypted data, endangerment of information becomes a potential cause for penalties.

Audit Reports

About publishing the audit results, Mc Andrew said that the 115 audit reports are now being analyzed and evaluated, and that the office is yet to determine what to do with the final analysis. However, she said that the office reserved the right, in appropriate cases, depending on the seriousness of a finding, to move any case for compliance review, which may result in enforcement action.

Resuming HIPAA Audits

According to Mc Andrew the office hopes to resume audits following the result of the evaluation and analysis of the previous audits. The evaluation of last year’s audit is expected to show where to concentrate more efforts and how best to sort the funding situation. The process of updating protocol is in progress to ensure changes in the final rule are taken care of, and the focus is now mainly on the implementation of the omnibus rule.

Tips to Prepare for the Audits

Healthcare organizations should look at this time as an opportunity for them to take a systemic look and ensure that their risk assessment, policies, and procedures are up-to-date, says Mc Andrew. This is a good time to ensure that compliance is a daily task. This would mean supporting compliance initiatives with an organized program and self-audit/external audit process.

This is what Aegify Security Posture Management and Aegify SecureGRC are designed to do. By offering ongoing security, ensuring privacy of health records and conducting periodic risk assessments, these platforms offer everything that healthcare entities need to become and remain compliant, and to ensure the security and privacy of patient health information.