Home Health & Hospice Week

HIPAA:

Claims Audits Aren't The Only Ones That Matter

Don't overlook IT audits.

You're familiar with Medicare audits and maybe even HIPAA audits - but have you ever heard of a health information technology audit? If not, get to know the specifics of how the government performs these and what it's seeking.

During a recent OIG podcast, the OIG's IT audit director, Jarvis Rodgers, provided some specifics about the latest trends in health IT and how you can avoid getting into trouble.

Protecting a patient's health records may seem like it's just another government requirement that has no rhyme or reason behind it, but the reality is that health records can be immeasurably valuable for thieves. "Health records can fetch, sometimes 60 times more than what a stolen credit card can yield on the dark web," Rodgers said. "Whereas credit cards may have a shelf life, if they're compromised, of just a day or two, health records tend to last a lifetime. So I think it's important for folks to really protect their health information, to be aware of who has their health information, and recognize that, if your health information is compromised it could also result in things like someone filing a false tax return on your behalf."

To ensure that this information is under lock and key, the OIG investigates how carefully providers, hospitals, insurers, and other entities are protecting those medical records, he adds. Therefore, if you haven't yet performed a healthcare IT risk assessment, now is the time to ensure that all of your patients' protected health information is secure and impenetrable.

One way the government ensures that patient records are secure is to attempt to access them, much like a hacker would. "Penetration testing is another area that we're extremely proud of," Rodgers said. "We're able to provide chief information officers, and sometimes chief financial officers, with information where we have exploited a particular vulnerability, and we've actually been able to get into a network."

While performing penetration testing, OIG auditors review specific items such as whether the entity changed the out-of-the-box usernames and passwords that the manufacturer created, Rodgers said. If those default usernames and passwords are still in effect, then the system is vulnerable to hackers. Providers that have out-of-the box software should be sure and check whether they have changed these passwords, and if not, you should do so immediately.

Other Articles in this issue of

Home Health & Hospice Week

View All