The National Health Information Management Systems Society (HIMSS) Conference is taking place February 19-23 in Orlando, Florida. During this time, leaders from all over the world gather to network, collaborate, and learn what’s ahead for the healthcare industry.
Deven McGraw is the Deputy Director for Health Information Privacy, with the Office for Civil Rights (OCR). The OCR is the enforcement mechanism for ensuring compliance to HIPAA, as well as other areas. During one of the HIMSS’ sessions, one of the key points Mr. McGraw discussed was an update on the Phase 2 compliance audits that took place during 2016. The goal of these HIPAA audits was to support improved compliancy. By default, these were not intended to be punitive in nature, but it was shared that if the violations found were so severe, it did push OCR to open a full compliance review. The audits were initiated by a notification sent by OCR to the Covered Entity (CE) informing them of the audit and providing instructions on what needed to be provided to OCR for review. It was indicated that, in many cases, incorrect documents were received or they weren’t sent at all.
In summary, OCR learned from these audits that much work is still needed in the compliance space. The list below is what OCR most commonly found to be out of compliance:
- No Security Risk Assessment (SRA) completed
- Unable to Account for Business Associate Agreements (BAAs)
- Missing or out-of-date policies and procedures
- Lack of transmission security
- Insider threats (not de-activating an account following termination)
- Improper disposal of content (paper and electronic)
- Lack of, or no back-up of contingency plans
Based on these findings, it was announced today that further efforts will continue from OCR to continue these audits.
Now is the time to ask the following of your organization:
Have you completed a 3rd party Security Risk Assessment?
Do you have a compliancy officer?
Has your staff been trained?
As these efforts continue with more auditing resources, keep in mind your organization could be contacted for a desk audit. What other risks would this expose for your organization?