TRENDING:

The Security Scrutinizer with Howard Anderson

Ready or Not, Here Come HIPAA Audits

Yet Another Incentive to Work on Compliance Howard Anderson (ismg_editor) • July 15, 2011    

We're delighted to see that federal authorities are finally launching the long-delayed HIPAA compliance audit program, which was mandated by the HITECH Act.

The threat of an audit could prove to be a powerful incentive for hospitals, clinics, health insurers and others to take adequate precautions to safeguard patient information. And if some of the organizations that are audited wind up facing penalties for non-compliance, that would be a powerful wake-up call, indeed.

Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights, revealed some audit program details in an interview this week (see: McAndrew Explains HIPAA Audits). She noted the program, which could result in as many as 150 on-site audits, won't start until late this year or early 2012, after about 20 test audits are completed.

So how will officials select audit candidates? Well, McAndrew didn't spell out the details, other than to say that her office would try to select a wide variety of organizations based on type, size and location. And initially, at least, covered entities, and not business associates, will be the focus. She said the process of selecting audit candidates "will not be totally random ... but this [audit program] will not be incident-driven, unlike the current investigations and compliance reviews that we do."

Considering the thousands of covered entities that must comply with HIPAA, the odds of getting audited are relatively remote. But the threat of an audit offers yet another reason to make sure your organization follows the guidelines in the HIPAA privacy and security rules.

OCR hasn't yet figured out how it will publicize the results of the audits. We're hoping it produces detailed reports on the aggregated findings and offers suggestions for HIPAA compliance best practices, based on what it learns from the audits.

So what can your organization do to prepare for an audit? McAndrew advises organizations to take several steps, including reviewing privacy and security policies and procedures, documenting patient information safeguards, updating risk assessments, developing a breach incident response plan and checking emergency backup systems.

What would a HIPAA compliance audit at your organization reveal? It's time to start thinking about that.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.