| LXBN | March 24, 2016
Gird your loins and gather your files: It’s time for phase 2 HIPAA audits.
And this time it’s (more) digital.
The long-awaited second
round of HIPAA audits has finally
arrived, and the Office of Civil Rights (OCR) will be include business
associates for the first time. These audits couldn’t come at a better time,
with more awareness than ever surrounding privacy and data security, and as
more and more of the country turns to electronic medical records to manage
their healthcare. But as we delve into mounting HIPAA audits and patient
privacy one question still lingers: Are electronic files worth it?
With OCR’s phase 2 of HIPAA audits they’re hoping to continue what the
Health Information Technology for Economic and Clinical Health Act of 2009
(HITECH) started. The act requires OCR to periodically audit covered entities
and business associates for compliance with HIPAA rules. Phase 1 audits took
place from 2011-2012, but those only examined covered entities.
But now, the OCR is auditing 200 desk and on-site audits of both covered
entities and business associates. And Linn
Foster Freedman of the Data Privacy & Security Insider that they’re going to be a lot stricter this time around too:
The OCR has given covered entities and business associates time for
compliance, and this new round of audits will not be as kind as the last. We
have seen a change in the tone of investigations and enforcement actions by the
OCR in the last two years and it is losing patience with covered entities and
business associates being lax with compliance.
Although the new audits will include the old reliable questions, we
anticipate that the OCR will look deeper into covered entities’ and business
associates’ compliance with the Security Rule, including completing a security
risk assessment, ongoing risk management, frequent training of employees and
business associate agreements. All of these areas have been a focus of the OCR
in the recent past, and such is evident from the most recent fines and
penalties assessed against covered entities.
The last time OCR audits came down, healthcare providers were only completing the first big push to electronic health records. But now that the system is more
established what’s the breach outlook like? Well, it’s still not great.
The EHR business now boasts a cool global market of about $22 billion. Between 2008 and 2014 the number of U.S. hospitals using digital records skyrocketed from 9.4 to 75.5 percent. More than 8 in 10 doctors have adopted EHR systems, even if 51 percent of them are only using the basic functionalities of
their system. It’s something patients can see huge benefits from, but doctors don’t love—and with good reason.
The systems, which have cost the country billions, aren’t necessarily seamless (in fact they rarely are), and often add to a provider’s workload,
rather than subtract. And many doctors see it as a privacy liability.One third of all data breaches happened in the healthcare industry probably because healthcare datais
some of the most lucrative of all—making it no surprise that since 2010, incidents of medical identity theft have doubled. Though sometimes paper file loss was responsible, the OCR
found last year that hacking
or IT incidents accounted for 73 percent of individuals affected by breaches. To healthcare providers
digitization of medical records seems to poke more holes in their systems often aren’t equipped with encryption, and EHR is a symptom of that weak link.
What’s more, there simply
aren’t enough safeguardsin place to secure
most patients data, and some doubt even OCR’s audits can do the job right. Especially if—as some have accused—providers of EHR are taking advantage of the lack of regulation.
As phase 2 kicks off, now is the time to check and see if that OCR pre-audit email got caught in
the spam filter, and gathering all the information you need for this kind of
laborious undertaking, including some
review of your privacy, security, and breach notification rules. That
EHR clearly isn’t going to protect yourself.
No comments:
Post a Comment