Expect enforcement of the HIPAA Security Rule, part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to increase in 2014. I recommend taking steps right now to ensure that your organization is, and can demonstrate that it is, doing everything the HIPAA Security Rule requires, particularly if – or when, as seems more likely – a government auditor comes calling. Read on, if you’re not convinced.
Recently, the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) published a critical report finding that the Department’s Office for Civil Rights (OCR) was not adequately overseeing and enforcing the HIPAA Security Rule. It found that the OCR has failed to provide for periodic audits, as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Instead, the OCR was following a complaint-driven approach to assessing compliance with the HIPAA Security Rule. The HHS OIG has concluded that level of oversight and enforcement is inadequate to meet federal requirements.
The OCR has also failed to follow consistently its investigation procedures and maintain documentation needed to support key decisions made during investigations, the OIG said. Its recommendation was for the OCR to add teeth to its audit program and expand its regulatory reach.
The increased threat of federal scrutiny is already leading responsible healthcare companies to assess whether they can demonstrate that they secure patient information, and, more importantly, consider patient data protection a key business focus. And many are seeking outside help because there is no prescriptive method or best practice available to guide compliance.
What exactly is going to go down, we can’t say for sure. But we do know this: Individuals, organizations and agencies that meet the definition of a “covered entity” under HIPAA need to review these six sets of functions as they apply to their HIPAA compliance:
- Security policy and organization
- Asset classification and control
- Personnel, physical and environmental security
- Communications and operations management
- Access control and system development and maintenance
- Business continuity management and compliance
We’re all getting the message that as technology evolves rapidly, new security threats continue to emerge and hackers persist in their attempts to get confidential information. As many as two-thirds of breaches may arise from malicious intent; hence, there is the need for a proactive approach to HIPAA security compliance.
Here are 10 key actions Protiviti recommends in our topical white paper HIPAA Security – Prepare Now or ‘Wait and See’?
- Determine the date of your last compliance evaluation and whether it addressed changes stemming from the HITECH Act.
- Evaluate the sufficiency of your risk analysis and risk management programs.
- Assess the impact of your risk analysis program on Meaningful Use attestation processes.
- Maintain sufficient documentation of your efforts.
- Ensure the entity has implemented a sustainable program that adapts to the changing environment and is proactive versus reactive.
- Monitor industry developments on a continuous basis and leverage existing guidance to the greatest extent practicable in a timely manner.
- Collaborate with the internal audit and independent compliance functions and other applicable resources.
- Move beyond evaluating simply the design of security and privacy processes and test operating effectiveness.
- Perform penetration and vulnerability testing on a regular basis.
- Talk to peers. You’ll realize you’re not alone in this process.
It would be wise to avoid testing the patience of the OCR. It’s likely to start monitoring aggressively and it is a reasonable bet that it likely will take significant action against organizations that are noncompliant. Therefore, each HIPAA covered entity will want to take proactive steps in seeking the high ground before this wave hits.