The initial 20 HIPAA audits have brought significant details to light. It was found that HIPAA had not been a priority to some organizations for several years. The audits revealed that companies have not been conducting risk assessments on a regular basis.
The audits being coordinated by the Department of Health and Human Services’ Office of Civil Rights (OCR) identified certain serious compliance challenges faced by organizations. The preliminary analysis of the initial 20 audits revealed that most organizations had trouble with security compliance rather than privacy compliance. The smaller organizations especially faced this problem more than the larger ones.
Some of the top security issues identified during the first round of audits include problems with user activity monitoring, contingency planning, authentication and integrity, media reuse and destruction, risk assessments, and granting and modifying user access. While it was noted that larger organizations were better at setting up and implementing HIPAA compliance programs, many smaller entities were having trouble with this. Moreover, it was also noted during these audits that organizations were not paying due attention to concerns surrounding third-party risks, such as monitoring and addressing issues with business associates.
The privacy issues that emerged out of the audit mainly concerned personal health information uses and disclosures related to deceased individuals, protected health information disclosures and uses by personal representatives, business associate contracts, disclosures for judicial and administrative purposes, verification of identity of those requesting protected health information (PHI). It was found that some organizations had no policies and procedures surrounding these issues and even if there were, they were not being followed.
Steps to Be Taken
The initial audits have brought several issues to the forefront. Based on these audits, Linda Sanches, a federal official involved in supervising the audits advices organizations to take certain steps:
- Conduct robust reviews and assessments
- Identify lines of business affected by HIPAA
- Map PHI movement within the organizations as well as with third parties
- Identify locations where PHI resides in the organization
- Get guidance from the OCR website if needed
Sanches also says that based on the insights drawn from the HIPAA audits OCR will compile a guide to HIPAA compliance best practices. While this guide may be extremely useful to every organization, in the meanwhile to ensure that there is no security lapse, every organization should follow the above-mentioned steps and stay prepared for the upcoming audit. And the simplest way to do this is by resorting to a compliance and security solution like SecureGRC, which will address all compliance, audit, assessment, and risk management needs of the organization.