In my inbox this morning was a news brief from www.modernhealthcare.com announcing that the U.S. Department of Health and Human Services (HHS) inspector general’s office released two audit reports that call into question whether enough is being done by the Office of Civil Rights (OCR) and the Office of the National Coordinator (ONC) to enforce compliance with the HIPAA Security Rule portion of the Health Insurance Portability and Accountability Act (HIPAA). The report criticizes both Offices for not doing more to ensure protection of electronic protected health information (ePHI).Why the OCR?
It’s noted that although the OCR has processes in place to initiate covered entity (CE) compliance reviews, it had not provided any examples of when it had done any. The only compliance reviews performed since the OCR took over enforcement in July of 2009 have been in response to reported breaches. According to the report, the OCR needs to do more than just react to breaches and reported security incidents. They encouraged them to begin random compliance audits on CE’s, even if no breaches or security concerns have been raised.
Why the ONC?
In addition, the reports also find fault with the ONC, saying that they have fallen short in their efforts to promote the security of ePHI. The American Recovery and Reinvestment Act (ARRA), passed in 2009, placed some security responsibilities on the ONC to lead the way in safeguarding patient information as it pushed for adoption of EHR systems. The ONC required application vendors to meet certain security-related objectives to become certified, and one of the Core objectives of Stage 1 Meaningful Use requires CE’s to conduct a Risk Assessment and develop a Risk Management program. Good first steps, but the auditors felt that more should have been done.
So what does this mean for you?
Start by asking yourself if your organization is HIPAA Security Rule compliant.
If you can confidently say yes we are…
Then maybe you are one of the few who can sit back, relax a bit, and feel confident when the OCR comes knocking on your door.
If your answer is no or if you’re just not sure…
You’re not alone.
Most CE’s today don’t have all the necessary pieces in place to meet compliance, and many aren’t sure if they even know what the requirements are. And it’s not just a few policies here or there that are lacking. The cold reality is that most facilities are ill-equipped when it comes to protecting ePHI, and are even less prepared to pass a HIPAA Security Rule compliance audit.
The HHS inspector general’s office performed several of its own compliance audits on hospitals in seven states between August 2009 and March 2010 (California, Georgia, Illinois, Massachusetts, Missouri, New York and Texas). In those audits, they found 151 vulnerabilities in the systems and controls meant to protect patient information, of which 124 were described as “high-impact”. This points to the disparity between HIPAA Security Rule requirements, and what was implemented to safeguard ePHI.
Would the results of an audit be any different at your organization? Better? Worse? What should you be doing to get your security house in order and achieve compliance?
Over the coming weeks, we’ll take a guided tour of the HIPAA Security Rule, covering each of the standards that make up the Rule, and the associated implementation specifications. We’ll explore the requirements, and offer some examples of how compliance can be achieved. You can sign up for weekly updates here.
You can expect the OCR to begin random compliance audits in the near future, and the ONC will likely add additional security-related objectives to the next stages of Meaningful Use. As we’ve been saying over the last year or so, it’s no longer a matter of “if”, but a matter of “when” you’ll need to provide proof that you’re compliant with the HIPAA Security Rule.