OCR Audits: Don't Fall Victim To Past Mistakes - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Security & Privacy
Commentary
11/21/2014
09:06 AM
Mark Fulford
Mark Fulford
Commentary
50%
50%

OCR Audits: Donít Fall Victim To Past Mistakes

The Office of Civil Rights is not out to get you. But it does expect you to make good-faith efforts at protecting patient data.

It's been two years since the 2012 Office of Civil Rights (OCR) pilot program audits took place, with results pointing to an overall lack of clarity on how to comply with HIPAA regulations. Despite having more time to figure it out, the current prevalence of non-compliance across the healthcare industry suggests this lack of clarity persists.

The 2014 through 2015 OCR audit season is upon us, and many healthcare organizations still have not taken adequate measures to prepare.

The good news is the upcoming audits, originally slated to begin this fall, have been delayed. The OCR is taking additional time to finalize the web portal it will use to gather electronic compliance artifacts from entities the agency selects for audits. But this round of OCR audits will target a significantly larger number of covered entities than were audited in 2012. And when the audits do commence, business associates will be included as well. In other words, there is a much higher likelihood of being audited than there was in 2012.

[Is Twitter's new security scheme dangerous? Read Killing Passwords: Don't Get A-Twitter Over 'Digits.']

If you are an eligible organization, now is the time to learn from past mistakes and get ready for a possible visit, on site or electronically, from the OCR.

Exposing the gaps in healthcare compliance
The 2012 OCR audits revealed the healthcare industry at large had not yet begun to take compliance seriously. An astounding two-thirds of audited entities had not even performed a complete and accurate risk assessment, which is the first step in putting a security strategy in place.

Here are some other unsettling results of the 2012 OCR audits:

  • Minimal protection: A number of audited organizations had not installed basic security tools to protect their networks. Not only was patient data exposed, there was little or no initiative to identify areas of vulnerability and put better controls in place.
  • Clueless about data: Many covered entities were challenged to identify where they stored their protected health information (PHI). As expected, PHI resided in core clinical applications, in databases, on workstations, on external media, and on print copies. But most organizations were hard-pressed to know what data was stored where. Plus, employees used mobile devices to access data from a variety of public places, with little or no consideration for the confidential nature of each transaction.
  • Lack of oversight: Overall, the 2012 OCR audits revealed that a large number of audited organizations grossly neglected data monitoring, staff training, and breach reporting.

(Source: Lendingmemo.com)
(Source: Lendingmemo.com)

Since the enactment of HITECH in 2009, the Department of Health and Human Services (HHS) has cited more than 1,000 serious data breaches of 500-plus records -- compromising more than 33 million patient records  -- on its online wall of shame. Sadly, in the 2012 audits, only 13 entities (out of 115) had no findings or observations.

OCR is on your side -- take advantage
Although no one should overlook the penalties for non-compliance, it's important to recognize the OCR is not out to get you. There are a number of resources available from the OCR website as well as the Office of the National Coordinator (ONC) at HealthIT.gov. OCR audits are a vehicle to monitor the overall healthcare industry for compliance with HIPAA regulations. Aggregate findings inform policies and outreach that will improve the overall privacy and security of patient data.

But the OCR will expect to find a good-faith effort to comply if they audit you. The first step, if you have not done so already, is to conduct a risk assessment that identifies areas of vulnerability in your healthcare data security strategy. As part of that risk assessment, do an inventory of all your confidential patient data. Know where it resides and how it’s handled. Don't forget to include all business associates with whom you share PHI. And be sure you maintain an accurate listing of those organizations. Auditors will ask.

Beyond basic network security controls and cataloging data, HIPAA dictates that you take an active role in protecting PHI. It's not enough to simply install network security tools. Go one step further and assign someone to periodically review system logs and events. Check physical security of your data centers and office areas. Situate workstations strategically for maximum privacy. Review your business associate agreements and make sure that the third parties with whom you share data are compliant as well. (This due diligence can be done through your own audit or by using a third-party resource such as a SOC or HITRUST report.) HIPAA also requires that staff is trained on how to handle and store PHI, and that you schedule regular reminders. How prepared you are to recognize and respond to possible breaches also will be a focus of the upcoming audits, so be sure you have documented plans in place.

As you can see, HIPAA regulations affect multiple areas of your organization. But the directives aren't always as prescriptive as some might like. By design, HIPAA rules have built-in flexibility, leaving decisions about compliance up to each organization, based on size, budget, and risks that are unique to your operations. Clearly, a large regional hospital will have more resources to dedicate to healthcare data security than a small-to-midsize physician's office. OCR recognizes this, which is why how you meet standards is ultimately up to you. If you've implemented a compliant strategy to the best of your ability and have justified your decisions in writing, you will likely emerge from an audit relatively unscathed. If not, take these lessons to heart and prepare thoroughly for a potential audit.

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.

Mark Fulford is a Partner in LBMC's Security & Risk Services practice group. He has over 20 years of experience in information systems management, IT auditing, and security. Marks focuses on risk assessments and information systems auditing engagements including SOC reporting ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
pfretty
100%
0%
pfretty,
User Rank: Ninja
11/25/2014 | 11:29:23 AM
Data governance
A key component to any data governance stratgey starts with an understanding of just valuable a customer or in this instance patient's data really is to the organization. It's probably one of the best assets an organizations can possess. It's sad that so many organizations fail to stress it significance. Strategy and governance need to move up on the priority list. 

 

Peter Fretty, IDG blogger working on behalf of SAS
asksqn
50%
50%
asksqn,
User Rank: Ninja
11/28/2014 | 5:17:48 PM
HIPAA-like law for consumer data would be nice
While I'm heartened to see the OCR taking a somewhat proactive stance for auditing noncompliant entitities, I'd still like to see the same protections HIPAA affords health records applied to consumer financial data.  Cough Target breach cough Home Depot breach. 
Commentary
Why It's Nice to Know What Can Go Wrong with AI
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  11/11/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll