HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Get Your HIPAA House in Order

September 4, 2015

Many covered entities and business associates would like to “shoot the tube” when it comes to HIPAA compliance — ride it out and hope for the best.

As the federales have been saying for some time now, the day of reckoning is coming for more covered entities — and now for business associates, too. OCR is inching closer to conducting more HIPAA audits — including audits of business associates. We’ve seen signs of the next round of HIPAA audits brewing, and covered entities started receiving questionnaires this spring seeking in part to identify business associates.

OCR Director Jocelyn Samuels announced this week that a vendor has been selected to conduct the next round of HIPAA audits. Most will be desk audits, but some field audits will be conducted as well. An updated audit protocol will be coming out before the audits begin, which covered entities and business associates should use as a compliance tool and to prepare for a potential audit. (See the original HIPAA audit protocol.)

Other efforts coming soon from OCR highlighted by Samuels include:

  • New guidance on patient right to access data under HIPAA, especially with regard for sharing information for President Barack Obama’s Precision Medicine Initiative. “We will be issuing new guidance so we can inform individuals about their rights to access … and make sure providers know what their obligations are,” she said.
  • Guidance on use of cloud technology and HIPAA obligations that apply to cloud providers is in the works.
  • A portal developers can use to ask OCR questions about ways in which HIPAA applies to emerging technology. Samuels said OCR anticipates the portal creating a space for a public dialogue and a vehicle to better understand issues arising in the industry and prioritizing the kinds of guidance and technical assistance the office can give.

It is never too late to undertake a HIPAA compliance planning or review effort. The rules require that privacy and security policies and procedures be put in place by all covered entities and business associates. Regulation and best practices also require regular review of these policies and their implementation, risk assessments and more.

In this day and age, it is likely that most covered entities and business associates will experience breaches. Over 80% of health care organizations have experienced breaches in the past two years. The relentless move of health data to the cloud, and the exponential growth of an ecosystem of business associates providing a vast array of services to covered entities mean that the potential exposure of protected health information to breaches — whether by identity theft hackers, disgruntled employees or former employees, and even well-meaning but uninformed employees — is enormous.

The key to ensuring that a breach does not become a company-destroying event is preparedness — having a plan, documenting the plan, executing on the plan. Having a convincing compliance story to tell (and show) in the event of an government audit, a complaint or breach investigation, or even a private lawsuit, will go a long way toward mitigating the effect on your organization.

So it’s time to talk to the man with the plan. When you’re ready to talk about HIPAA compliance — for the startup, for the enterprise, for the covered entity, for the business associate — you know where to find me.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Related Posts

  • HIPAA Privacy and Security Compliance: Should You Care?

    The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was…

  • Privacy and Security: Joke or No Joke?

    The Wall of Shame welcomes Sutter Health. Another computer with unencrypted protected health information on…

  • HIPAA compliance = privacy protected?

    A year ago, AHRQ found rampant confusion and mistakes among covered entities trying to comply…

Filed Under: Compliance, Digital Health, Ehealth, Health 2.0, Health care policy, Health Law, HIPAA, HIT, Home Health, Hospitals, Mobile health, OCR, Physicians, Privacy, Security

« Accountable Care Organizations: The Show So Far
MedicineX: Patient-Centered Health Information Exchange »

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]