Is Your Organization Prepared for New HIPAA Audit Requirements?
In the previous post, we discussed why an organization’s regulatory compliance strategy must be part of the overall IT strategy. The growing use of mobile devices and cloud-based services makes data more difficult to control and protect. For example, if data is stored in the cloud, you need to know exactly where that data resides and whether the cloud service provider is adhering to government and industry regulations. As regulators continue to introduce stricter rules and stiffer penalties, organizations must implement the right technology and processes to minimize risk.
Healthcare organizations in particular are feeling the pressure to update their Health Insurance Portability and Accountability Act (HIPAA) compliance strategies. Unfortunately, complaints and violations have been alarmingly common since the first HIPAA compliance protections went into effect in 2003. More than 130,000 HIPAA complaints have been received since then, with fines and settlements totaling more than $36 million. Violations have ranged from the use of unencrypted laptops and thumb drives to failing to address known vulnerabilities until after a breach occurred.
Now, new HIPAA audit requirements are making compliance even more challenging. These requirements are part of the second phase of the HIPAA audit program, which comes in the aftermath of a large number of security breaches in the healthcare industry. Covered entities – health plans, healthcare providers and healthcare clearinghouses – received letters notifying them of their inclusion in desk audits, even if no complaints have been filed against them.
Desk audits assess the HIPAA compliance of these organizations by examining documentation of policies and procedures, which are common sources of non-compliance and thereby present the greatest risk to the security of protected information. Specific HIPAA requirements to be reviewed include:
- The HIPAA Privacy Rule, which provides standards for ensuring the privacy of medical records.
- The HIPAA Breach Notification Rule, while requires entities to notify the Office of Civil Rights when health information is compromised.
- The HIPAA Security Rule, which provides standards for protecting electronic health information.
Entities that received letters had 10 business days to respond. If an audit uncovers serious compliance concerns, there could be a more comprehensive review of the organization. If violations are found, monetary penalties could result. This fall, business associates of healthcare organizations will be subject to desk audits for the first time.
The recent surge in ransomware attacks has led to the release of new guidance that explains how to determine if a ransomware incident should be reported as a HIPAA breach. Ransomware is a form of malware that encrypts or blocks access to data and requires the user or organization to pay a ransom to have that data restored. Ransomware attacks now occur an average of 4,000 times per day, a 300 percent increase from last year.
The HIPAA Security Rule requires covered entities and business associates to take steps to minimize risk of a ransomware attack, including conducting a risk analysis, implementing proper procedures and training programs for detecting, reporting and responding to incidents, and assessing the risk of individual incidents.
Don’t let complex regulations and cybercriminals affect your business operations or the safety of your patients. Let Atlantic-IT.net, your outsourced IT department, help you assess security and compliance risks, deploy the right technology to fill any gaps, and implement procedures that meets HIPAA standards.