Many covered entities and business associates would like to “shoot the tube” when it comes to HIPAA compliance — ride it out and hope for the best.
As the federales have been saying for some time now, the day of reckoning is coming for more covered entities — and now for business associates, too. OCR is inching closer to conducting more HIPAA audits — including audits of business associates. We’ve seen signs of the next round of HIPAA audits brewing, and covered entities started receiving questionnaires this spring seeking in part to identify business associates.
OCR Director Jocelyn Samuels announced this week that a vendor has been selected to conduct the next round of HIPAA audits. Most will be desk audits, but some field audits will be conducted as well. An updated audit protocol will be coming out before the audits begin, which covered entities and business associates should use as a compliance tool and to prepare for a potential audit. (See the original HIPAA audit protocol.)
Other efforts coming soon from OCR highlighted by Samuels include:
- New guidance on patient right to access data under HIPAA, especially with regard for sharing information for President Barack Obama’s Precision Medicine Initiative. “We will be issuing new guidance so we can inform individuals about their rights to access … and make sure providers know what their obligations are,” she said.
- Guidance on use of cloud technology and HIPAA obligations that apply to cloud providers is in the works.
- A portal developers can use to ask OCR questions about ways in which HIPAA applies to emerging technology. Samuels said OCR anticipates the portal creating a space for a public dialogue and a vehicle to better understand issues arising in the industry and prioritizing the kinds of guidance and technical assistance the office can give.
It is never too late to undertake a HIPAA compliance planning or review effort. The rules require that privacy and security policies and procedures be put in place by all covered entities and business associates. Regulation and best practices also require regular review of these policies and their implementation, risk assessments and more.
In this day and age, it is likely that most covered entities and business associates will experience breaches. Over 80% of health care organizations have experienced breaches in the past two years. The relentless move of health data to the cloud, and the exponential growth of an ecosystem of business associates providing a vast array of services to covered entities mean that the potential exposure of protected health information to breaches — whether by identity theft hackers, disgruntled employees or former employees, and even well-meaning but uninformed employees — is enormous.
The key to ensuring that a breach does not become a company-destroying event is preparedness — having a plan, documenting the plan, executing on the plan. Having a convincing compliance story to tell (and show) in the event of an government audit, a complaint or breach investigation, or even a private lawsuit, will go a long way toward mitigating the effect on your organization.
So it’s time to talk to the man with the plan. When you’re ready to talk about HIPAA compliance — for the startup, for the enterprise, for the covered entity, for the business associate — you know where to find me.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting