SOURCE: LockPath, Inc.


May 18, 2015 00:00 ET

Anticipating Harsher Fines, Health Care Organizations Prepare for OCR Audits

OVERLAND PARK, KS--(Marketwired - May 18, 2015) - Although a timeline has yet to be set, health care organizations should continue to do all they can to prepare for the next round of OCR audits. A recent survey found that only 58 percent of the medical practices polled had a HIPAA compliance plan. The remaining 42 percent either did not have a plan or were not aware if a plan exists. This could be bad news if randomly selected for an audit.

Once the second round audits do begin, providers can expect it to be more comprehensive with harsher penalties. Experts are anticipating a wide range of fine amounts even though a clear fine structure has not been provided. According to Geraldine Davis, Department of Health and Human Services' Office for Civil Rights (OCR) representative, "OCR will look at covered entities and business associates' risk analysis and risk management (the Security Rule), the content and timeliness of breach notifications (the Breach Notification Rule) and the notice of privacy practices and access rights (the Privacy Rule)."

Conducting regular risk assessments to identify any potential vulnerabilities is a great way to stay proactive and prepare for HIPAA audits. Yet only 33 percent of the organizations polled have completed a risk analysis. All risks should be considered, not just those relating to security, according to Linda Sanches, OCR Senior Advisor of health information privacy. "We want to see that they've thought about all of the different areas of risk and different types of information going out as well as keeping track of new technology coming into the organization. This includes not only administrative and technical protections, but human error vulnerabilities as well."

Other than risk analysis, here are some tips to help you survive the second round audits:

  1. Ensure all policies and procedures are correct and up to date. This means all workflows should correlate with procedures and all employees should be well versed in the day to day interaction with PHI.
  2. Have regular training in place for staff members who are not compliant with or are not aware of privacy and security measures.
  3. Conduct self-audits to test procedures, especially those surrounding PHI.
  4. Assess your BAs' HIPAA compliance to determine the risk they could pose to the organization. Have a completed list of your vendors with contact information and know what services they provide. Keeping track of BAs can be done easily within a governance, risk and compliance solution like LockPath's Keylight.

With the audit timeline still in limbo, it's tempting to procrastinate on preparation and prioritize more urgent matters. That can prove regrettable if OCR auditors uncover several finable offenses. Sometimes it's best to prioritize efforts that are more important to the health of your organization rather than those that are more urgent.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available: