Share this article on:
The introduction of the Security Rule has warranted a round of compliance audits by the Office for Civil Rights of the Department of Health and Human Services. The results of its first round of preliminary audits – conducted in March this year – have now been announced.
The OCR conducted 20 audits to assess organizations for compliance with new HIPAA regulations, in particular those relating to the Privacy and Security Rules. Only a small number of audits were conducted but the results have given the OCR important insights into the general state of compliance in the healthcare industry. Some of the key findings were announced at the recent OCR and National Institute of Standards and Technology conference.
OCR Compliance Audit Findings (March 2012)
The results of the audits indicate that while large organizations have by and large made the appropriate updates to their data privacy and security policies, there is a discrepancy between the government’s high expectations of data privacy and security compliance and what the OCR has observed in practice. Healthcare organizations are updating their policies and procedures but the process has proved to be slower than anticipated.
Small healthcare companies are having the greatest difficulties and struggling to stay compliant. Small organizations are those with annual revenues of less than $50 million and while only six out of the 20 audits took place on small companies, they were responsible for two thirds of the deficiency findings. The Privacy Rule audit found 77 percent to be deficient and 61% of the Security Audit deficiencies had affected small companies.
Healthcare providers struggled more than health plans and clearinghouses, accounting for 81% of deficiencies even though only 50% of the audits were conducted on healthcare providers.
The Security Rule introduced numerous changes and these featured heavily in this round of OCR audits. It is therefore not surprising that most deficiencies were discovered in this area, although the findings do give some cause for concern. 65% of deficiencies related to the Security Rule compared to 26% on Privacy Rule issues and only 9% relating to breach notifications.
The main areas of data security non-compliance were a lack of contingency planning, insufficient monitoring of user accounts, authentication/integrity issues, destruction of old PHI, user access rights and conducting risk assessments.
Issues relating to privacy included unclear policies and procedures, no review process for denials of patient access to records, decedent and personal representative disclosures, business associate contracts and failures to provide patients with access to their PHI.
Correcting Non-Compliance Issues
If the data paints a true picture of the state of compliance across the United States there is clearly a long way to go to bring standards up to the level demanded by HIPAA. For organizations not audited as part of the pilot it provides a chance to make changes. The OCR findings can be used as a guide to identify potential vulnerabilities and non-compliance issues and take corrective action before the next series of audits.
Healthcare organizations should revisit policies and ensure the following issues are addressed:
- To ensure a risk assessment is conducted on all IT systems and all risks are managed
- Implement a program to monitor access to PHI
- Ensure policies include emergency contingency plans to cope with blackouts and power shortages
- Implement policies to deal with patient denials of access
- Ensure policies are in place to cover protection and release of PHI of decedents and personal representatives
- Conduct a review of all business associate agreements and make sure all current business associates have a current agreement in place