Don’t Worry About the 2014 HIPAA Audits

Focus on Preventing Data Breaches 

While the buzz is picking up about the HIPAA Audits that the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) should begin again this Fall, the odds are that you won’t be audited compared to the much greater possibility that you will deal with a data breach complaint and investigation.

If you protect patient information you will be doing the right thing for patients and also be protecting your organization. Once data is properly protected according to the HIPAA Security Rule’s Administrative, Physical, and Technical safeguards, then compliance is just icing on the cake. Documentation, workforce training, reporting. You can reduce the higher odds of a breach investigation and not have to worry about the HIPAA audits.

Since 2012 only 115 HIPAA audits have been conducted out of over 700,000 HIPAA Covered Entities. Even if OCR conducts the maximum of 1200 HIPAA audits it announced in February, these will also be spread across more than 2 – 3 million Business Associates that now have to comply with HIPAA.

Data breaches are a completely different story. In 2012 and 2013 almost 24,000 complaints were made to the Office for Civil Rights (OCR) that enforces HIPAA. Almost 7,000 resulted in corrective action, a lot more than the 115 HIPAA audits.

This does not count state-level investigations conducted by attorneys general and other agencies, which can issue fines and suspend you from doing business. (Recently the Puerto Rico insurance commissioner issued a $ 6.8 million HIPAA data breach fine.) It does not count data breach investigations conducted by the Federal Trade Commission, which cannot issue HIPAA fines but they can put you on a 20-year compliance monitoring program. It doesn’t count the lawsuits filed by patients and insurance plan members whose data was breached. Nor does it consider the costs of lawyers, credit monitoring services, public relations, or lost business.

Everyone talks about HIPAA audits. The reason that HIPAA requires compliance is not for you to prepare for HIPAA audits, but to protect patient information. If you focus on compliance with HIPAA or Meaningful Use you might end up with lots of documentation- a HIPAA Risk Analysis, policies and procedures, and a lot more paper. But will your data really be secure? Focus on avoiding or preventing data breaches and then do the paperwork.

Here are a few things you can do to avoid a data breach (they are all #1 priorities!):

  1. Encrypt data at rest (stored.)  If an encrypted device is lost or stolen you do not have to report it as a data breach. The data is protected and federal and state agencies provide get-out-of-jail-free exemptions from reporting.
  1. Do a Risk Analysis. Find all of your protected data and secure it. Look hard at your network to make sure it is secure. Hire a professional who understands networks and IT security. HIPAA audits have shown a missing or inadequate Risk Analysis to be the most common audit failure. Every major HIPAA data breach penalty has cited a missing or inadequate risk analysis as the root cause.
  1. Police your users. Do not allow them to transport unencrypted patient data on portable or mobile devices, forward it to personal e-mail accounts, or store it in free file sharing online services. Train them to avoid being suckered by phony e-mails and websites that can inject malware into your network.
  1. Remember to protect old data. Legacy Electronic Health Record systems kept alive to access old records contain patient data that is just as legally protected as new data. Old hard drives and backup tapes may not seem important but they are huge risks. What about the Windows XP systems you recently retired?
  1. Police your Business Associates. They account for over 20% of all data breaches. How are they handling your data files? Your online backups? Passwords for their techs accessing your network? Repairs and equipment retirements? Are their subcontractors also compliant?
  1. Don’t get complacent. Just because your data was secure a minute ago does not mean that it is safe right now. Work with an IT solution provider that can remotely monitor and maintain your network and devices to ensure ongoing security.

Remember, data protection first then HIPAA compliance. This will be better for your patients and will lower your risks of an expensive and embarrassing data breach.

originally written for 4MedApproved