The Return of HIPAA Audits: What Covered Entities and Business Associates Need to Know

Posted by Mark Greisiger

A Q&A with Michael Whitcomb of Loricca
The Department of Health and Human Services’ Office for Civil Rights will resume its HIPAA compliance audit program this fall, focusing on both covered entities and business associates with a limited number of narrowly focused “desk audits” as well as comprehensive onsite audits. I asked Michael Whitcomb, founder and president of the IT security and compliance firm Loricca, Inc., what healthcare organizations need to do in anticipation of this increased scrutiny.

It’s important to remember that this isn’t just compliance for compliance’s sake—this is protecting people’s health information.

What steps can a covered entity or business associate take to prepare themselves for these audits?
From my point of view, the Office for Civil Rights is using a carrot and stick approach to encourage organizations to make security and compliance a priority. The very first thing to do is establish a security program and ensure it has board-level support all the way down through the management team. This program should start with risk assessment, conducted by a qualified person. Any corrective action taken should be documented. All of this requires spending money, which no one wants to do as well as major organizational changes including the way the organization deals with vendors. However, it’s important to remember that this isn’t just compliance for compliance’s sake—this is protecting people’s health information, and that benefits all of us.

What are some examples of weak spots you encounter in your audits?
It really comes down to people, policies and procedures. Often organizations underestimate how important policies and procedures are as a foundation for security practices. The next area is technology—the budget needs to account for all of the expenses that go along with rapidly changing tools and costly processes such as log management.

What’s the biggest hurdle to internet security in the healthcare sector?
People tend to be a little cavalier with a “this can’t happen to us” type of mentality. They need to realize that not only can it happen, it probably already has. Too often there’s a disconnect between the board or C level and the IT people who are fighting for the money they need to implement the right security. Our greatest challenge is trying to educate people about the risks and convey that security is not the enemy. You can still do all the things you are in business to do but do them in a way that protects the data. There is certainly a growing understanding about the importance of HIPAA compliance and we’ve made a lot of progress in the past two or three years, but with any regulation it’s an ever-changing landscape and the risks change on a daily basis. Keeping up with them takes focus and commitment.

In summary…
HIPAA/HITECH liability and regulatory exposures will only grow more significant for both covered entities and business associates. Moreover, many states have aggressive Attorneys General enforcing this Federal regulation. They typically view privacy as a major right that needs protection, and the penalties for demonstrating noncompliance and/or anemic data protection practices are very significant, including multimillion-dollar fines in some recent cases.