HIPAA-Covered Entities in for a Rude Awakening in the Compliance Audits
It has been three years since the OCR completed the pilot phase of HIPAA compliance audits. The OCR discovered numerous violations of all HIPAA Rules when it analyzed the results, and while healthcare data security standards have improved considerably since 2012, many Covered Entities (CEs) would still fail a compliance audit.
A new survey recently published by Healthcare Information Security Today (HIST) indicates many Covered Entities (CEs) are making the same compliance mistakes that were uncovered during the pilot phase of audits.
The OCR used the results of the pilot phase to develop a protocol for phase two, and the areas that CEs struggled to implement will be specifically tested second time around. A number of healthcare providers could have a rude awakening on what compliance with HIPAA really means.
The HIST survey uncovered a surprising level of confidence among covered entities. 80% of respondents said they were confident or somewhat confident of passing a compliance audit.
The pilot round of compliance audits identified many areas where organizations were failing to comply with the HIPAA Security Rule, in particular, the requirement to perform a risk analysis. Organizations had either failed to conduct a risk analysis, or failed to identify all the security vulnerabilities that existed.
The answers from the respondents to the HIST survey indicate the level of compliance has improved greatly during the past three years; however a quarter of respondents said they had not completed a risk assessment in the past 12 months. HIPAA demands that risk analyses are conducted; it is not a one time event. No healthcare IT environment remains the same for 12 months, and new security vulnerabilities can all too easily develop. The failure to monitor for risk on an ongoing basis is a clear violation of the Security Rule.
Technologies exist to safeguard PHI, yet many organizations are failing to put those technologies to use. Data encryption is still not being used to secure data, even on high risk devices such as portable storage drives and laptop computers. BYOD schemes have been adopted, but only half of covered entities insist on a secure messaging app or other form of data encryption on the devices.
The potential HIPAA violations do not end there. The next round of compliance audits will test compliance with the HIPAA Omnibus Rule of 2013, which brought Business Associates (BAs) under the privacy and security regulations. The OCR will be auditing BAs during the second phase of audits and they too must be able to demonstrate compliance with HIPAA Rules.
Rather worryingly, even some of the fundamental HIPAA Rules are not being followed according to the survey. Approximately a quarter of CEs say they have not obtained proof that their BAs have conducted a security audit and a similar percentage not having obtained a copy of their BAs security policies.
The 2015 Healthcare Information Security Today survey was conducted online and the results were compiled from approximately 200 surveys completed by CISOs, CIOs and senior healthcare leaders. Surveys were completed between December, 2014 and January, 2015.
