As many CIOs or Compliance Officers can attest, it’s impossible to attend a healthcare privacy or security conference these days without running into Leon Rodriguez. Rodriguez, the Director of OCR/HHS, gives the same presentation at these events time and again, and, without fail, draws the highest attendance of any particular event session. While Rodriguez holds himself well at the podium, attendees are not exactly lining up in the standing room only section of the banquet hall to see public speaking virtuosity. No, they are there for the terrifying subject matter: the HIPAA Audit Program.
The HIPAA Audit Program, enacted through the HITECH Act in 2009, was put in place to correct what was widely seen as a lax HIPAA compliance culture in healthcare. Simply put, HIPAA non-compliance was only an issue if you got caught. Perhaps rightfully so, many healthcare CIOs or compliance professionals have long been concerned only with keeping patient PHI safe. As for following all the “other” HIPAA requirements – performing risk assessments, creating data use and access policies, etc. – most healthcare leaders only actually adhered to the rules insofar as they helped the facility keep patient data safe. In the unfortunate event that a health care facility suffered a data breach and subjected itself to a rigorous OCR/HHS investigation, items such as missing risk assessments and inadequate security incident management processes would be identified and held against the entity. However, manage your data breach risk effectively, the thinking went, and the odds that the federal regulators identified a series of poor documentation practices were small enough to live with.
Through an aggressive audit pilot program, OCR/HHS has let it be known that this relaxed practice is no longer acceptable. The process starts with a letter from the federal agency letting the facility know that it has anywhere from seven to ten days to hand over all of its documented policies and procedures. From there, a site visit is scheduled with OCR/HHS’s auditing firm, KPMG, where a team of their auditors investigates all of the facility’s practices relating to patient PHI privacy and security. From there, a written report is prepared for the facility and, if warranted, sanction and fines are handed down.
Federal agencies are taking data protection practices seriously, and OCR/HHS is leading the charge with the HIPAA Audit Program. In Part 2 of this series, we will go into the HIPAA Audit Pilot findings and show how these will both affect providers and shape the program in the years to come.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More