It finally looks like the feds are starting up the next phase of HIPAA audits — but there’s still time to ensure your business associates (BAs) are staying compliant.
In preparation of the next round of audits, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has begun sending out pre-audit surveys to randomly selected providers, according to healthcare attorneys from the law firm McDermot, Will and Emory.
Originally, the surveys were meant to go out during the summer of 2014, but technical improvements and leadership transitions put the audits on hold until now.Moving toward Phase 2
The OCR has sent surveys asking for organization and contact information from a pool of 550 to 800 covered entities. Based on the answers it receives, the agency will pick 350 for further auditing, including 250 healthcare providers.
The Phase 2 audits will primarily focus on covered entities’ and their BAs’ compliance with HIPAA Privacy, Security and Breach Notification standards regarding patients’ protected health information (PHI).
Since most of the audits will be conducted electronically, hospital leaders will have to ensure all submitted documents accurately reflect their compliance program since they’ll have minimal contact with the auditors.4 vendor pitfalls
It’s not clear yet to what extent the OCR will evaluate BAs in the coming audits due to the prolonged delay. However, there are plenty of other good reasons hospital leaders need to pay attention to their vendors’ and partners’ approaches to HIPAA compliance and security.
Mainly because a lot of BAs aren’t 100% sure what HIPAA compliance entails, and often jeopardize patients’ PHI, according to Chris Bowen, founder and chief privacy and security officer at a cloud storage firm, in a recent HealthcareITNews article.
A large number of data breaches begin with a third party, so it’s important hospital leaders keep their BAs accountable by ensuring they regularly address these five areas:
- Risk Assessments. As the article notes, research has shown about a third of IT vendors have failed to conduct regular risk analysis on their physical, administrative and technical safeguards. Ask your vendors to prove they have a risk analysis policy in place, and are routinely conducting these kinds of evaluations.
- System activity monitoring. Many breaches go unnoticed for months, which is why it’s crucial your BAs have continuous logging, keep those logs protected and regularly monitor systems for strange activity.
- Managing software patches. Even the feds can struggle with this one, as seen in a recent HHS auditon the branches within the department. Keeping up with security software patches as soon as they’re released is an important part of provider and BA security. Decisions about patching security should also be documented.
- Staff training. Bowen recommends vendors include training for secure development practices and software development lifecycles, in addition to the typical General Security Awareness training that HIPAA requires.