The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

2 mins to read

Is Your HIPAA House in Order?

James W. DeLoach

Managing Director

Views
Larger Font
2 minutes to read

Expect enforcement of the HIPAA Security Rule, part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to increase in 2014. I recommend taking steps right now to ensure that your organization is, and can demonstrate that it is, doing everything the HIPAA Security Rule requires, particularly if – or when, as seems more likely – a government auditor comes calling. Read on, if you’re not convinced.

Recently, the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) published a critical report finding that the Department’s Office for Civil Rights (OCR) was not adequately overseeing and enforcing the HIPAA Security Rule. It found that the OCR has failed to provide for periodic audits, as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Instead, the OCR was following a complaint-driven approach to assessing compliance with the HIPAA Security Rule. The HHS OIG has concluded that level of oversight and enforcement is inadequate to meet federal requirements.

The OCR has also failed to follow consistently its investigation procedures and maintain documentation needed to support key decisions made during investigations, the OIG said. Its recommendation was for the OCR to add teeth to its audit program and expand its regulatory reach.

The increased threat of federal scrutiny is already leading responsible healthcare companies to assess whether they can demonstrate that they secure patient information, and, more importantly, consider patient data protection a key business focus. And many are seeking outside help because there is no prescriptive method or best practice available to guide compliance.

What exactly is going to go down, we can’t say for sure. But we do know this: Individuals, organizations and agencies that meet the definition of a “covered entity” under HIPAA need to review these six sets of functions as they apply to their HIPAA compliance:

  1. Security policy and organization
  2. Asset classification and control
  3. Personnel, physical and environmental security
  4. Communications and operations management
  5. Access control and system development and maintenance
  6. Business continuity management and compliance

We’re all getting the message that as technology evolves rapidly, new security threats continue to emerge and hackers persist in their attempts to get confidential information. As many as two-thirds of breaches may arise from malicious intent; hence, there is the need for a proactive approach to HIPAA security compliance.

Here are 10 key actions Protiviti recommends in our topical white paper HIPAA Security – Prepare Now or ‘Wait and See’?

  1. Determine the date of your last compliance evaluation and whether it addressed changes stemming from the HITECH Act.
  2. Evaluate the sufficiency of your risk analysis and risk management programs.
  3. Assess the impact of your risk analysis program on Meaningful Use attestation processes.
  4. Maintain sufficient documentation of your efforts.
  5. Ensure the entity has implemented a sustainable program that adapts to the changing environment and is proactive versus reactive.
  6. Monitor industry developments on a continuous basis and leverage existing guidance to the greatest extent practicable in a timely manner.
  7. Collaborate with the internal audit and independent compliance functions and other applicable resources.
  8. Move beyond evaluating simply the design of security and privacy processes and test operating effectiveness.
  9. Perform penetration and vulnerability testing on a regular basis.
  10. Talk to peers. You’ll realize you’re not alone in this process.

It would be wise to avoid testing the patience of the OCR. It’s likely to start monitoring aggressively and it is a reasonable bet that it likely will take significant action against organizations that are noncompliant. Therefore, each HIPAA covered entity will want to take proactive steps in seeking the high ground before this wave hits.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar post by topics

Authors

James W. DeLoach

By James W. DeLoach

Verified Expert at Protiviti

Jim DeLoach has more than 35 years of experience and assists companies with responding to government mandates,...

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

The big picture: C-suite leaders in traditional aerospace and defense (A&D) companies are launching and growing their aftermarket services and...

Article

What is it about

What to watch: President-elect Donald Trump will take office in January 2025 with Republican control of both the Senate and...

Article

What is it about

As the stakes increase for ensuring the integrity of sustainability reports, CFOs across all industries should not only consider adding...