Plus: Don’t make the same mistake this local government did.
Get your staff thinking about compliance again, because more HIPAA audits are on the way – with the potential for hefty enforcement fines and penalties that every facility wants to avoid.
On March 14, the HHS Office for Civil Rights (OCR) announced that it will begin its second round of HIPAA audits on Oct. 1. Audits will focus on providers’ use of data encryption and conducting the underlying risk analysis to determine whether encryption is necessary, according to a March 28 Nixon Peabody LLP HIPAA Law Alert blog posting.
“The 2014 audits will primarily focus on whether covered entities and business associates have conducted timely and thorough security risk assessments,” Nixon Peabody stated. “This means that organizations must have updated their processes for privacy and security of protected health information because HIPAA requirements and standards have changed since Sept. 23, 2013.”
Beware that the 2014 HIPAA audit process will change in accordance to the HIPAA Omnibus Final Rule’s revisions that went into effect in September 2013, Nixon Peabody reminded. Also, OCR will assess “more civil penalties during the 2014 audit series because it has approval to collect penalties that will be used for upcoming auditing and breach analysis.”
Learn from a Local Government’s Run-In With HIPAA
For the first time, the OCR has handed down a settlement for a county government’s alleged HIPAA violations. OCR is using this case to send a message that neither of the local and county governments, , whether big or small, are immune to HIPAA compliance enforcement.
On March 7, OCR announced a $215,000 settlement agreement with Skagit County, WA’s Public Health Department. The settlement arose from a 2011 incident involving the county’s unauthorized disclosure of 1,500 individuals’ electronic protected health information (ePHI), reported partner Thomas Range in a March 13 Health Law Rx Blog posting for the law firm Akerman, LLP.
“The settlement also covered what HHS deemed to be the county’s ‘general and widespread non-compliance’ with HIPAA,” Range said. After an investigation, OCR found that the county had violated the HIPAA Privacy, Security, and Data Breach Notification Rules.
In addition to the monetary settlement, the county will implement an extensive corrective action plan (CAP).
“County, city and local governments should view the Skagit County HIPAA settlement as a warning to review and implement appropriate hybrid entity status and to implement appropriate policies and procedures and employee training regarding PHI,” wrote attorneys Linn Foster Freedman and Kathryn Sylvia in a March 12 Nixon Peabody LLP HIPAA Law Alert blog posting.
Check Out a New Assessment Tool
If you need help conducting your security risk assessment, a new tool from OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) might be just what you need.
On March 28, the ONC and OCR announced their joint release of a new security risk assessment tool, designed for small to medium sized providers. The downloadable tool is available for use on Windows 7 or an iPad and helps practices conduct and document a risk assessment. The application even produces a report that you can provide to auditors.
“In many ways, the tool is an evolution of the NIST HIPAA Security Rule Toolkit released in 2011,” notes Jim Sheldon-Dean, founder and director of compliance for Lewis Creek Systems, LLC, in Charlotte, Vt. “It doesn’t make the work any easier, but it makes organizing the information and producing reports a little easier if you’re new to Risk Analysis.”
Beware: Sheldon-Dean also cautions that if you use the tool well, it could help — but use it poorly, and “it could provide a false sense of security.”
Link: You can access the tool, user guide, and related videos at www.healthit.gov/providers-professionals/security-risk-assessment.