In Part 1 of this series, we examined the purpose and general background of the HIPAA Audit Program. In this second part of the series, we will take an in-depth look into the HIPAA Audit findings to see what issues are tripping up providers the most. Remember: while the pilot phase of the program was intended to be educational, OCR has stated that future violations can and will be accompanied by sanctions, up to and including civil monetary penalties.
In its 2012 HIPAA Audit Pilot Program, OCR sought to create a cross section of providers and payers to assess the trends in HIPAA compliance. Included in this sample were large/medium/small provider groups, community hospitals, outpatient surgery clinics, pharmacies of all types, and many other entity types. However, despite the wide mix of auditees, OCR found patterns of HIPAA noncompliance about the Security Rule, the Privacy Rule, and the Breach Notification Rule. At a high level, OCR recently covered some of these major issues:
1. Security gaps accounted for 60% of the audit findings
2. Only 11% of all selected entities had no discovered HIPAA violations
3. Smaller providers struggle the most with HIPAA compliance
Specific to the Security Rule findings, OCR learned that nearly two-thirds of all entities (including about 80% of all providers) either had not performed or had an incomplete risk assessment on file. Moreover, issues of access management, media movement (including PHI-containing mobile devices), and data encryption were found to be serious areas of concern, accounting for over one-third of all Security Rule violations. OCR even went as far as to diagnose the underlying cause: entities are simply unaware of the requirements they are violating.
Fortunately for those selected in the pilot program, this “willful ignorance” was not enough to, in most cases, prompt sanctions. However, this is about to change. OCR undertook the year-long pilot to collect data about where the biggest HIPAA compliance gaps were to share with those who will be audited in the future. Providers have been effectively put on notice. So if you are a provider and have been neglecting your risk assessments, allowing workforce members to share PHI on their mobile devices, or are not encrypting all PHI in motion, now is the time to start righting the ship before the full audit program was rolled out in 2014.
In Part 3 of this series, we will cover the extension of the HIPAA Audit Program as well as the best practices providers should adopt to minimize their audit exposure.
Krishna Kurapati is the Founder and CEO of QliqSOFT. He has more than two decades of technology entrepreneurship experience. Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges using artificial intelligence (AI)-powered digital technologies across the U.S. healthcare system.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Reduce call volume and improve efficiency with patient secure texting. Studies show that the majority of Americans own smartphones and prefer mobile messages over emails or calls. Secure messaging platforms enable healthcare organizations to save time and improve patient care by answering FAQs, disseminating information, automating administrative tasks, and supporting population health initiatives.
Discover how digital platforms are revolutionizing community health centers (CHCs) by alleviating staff burnout through automated messaging, customizable patient engagement, and care coordination. By leveraging chatbot-based digital automation, CHCs can reduce manual tasks, increase patient satisfaction, close gaps in care, and improve staff work-life balance. These platforms enable secure texting, virtual visits, and efficient communication, ensuring patients receive timely and personalized care while allowing staff to focus on patient needs and streamline workflows.
Discover the significance of conversational AI in healthcare as it replicates natural interactions between humans and machines, offering personalized and interactive patient experiences. Healthcare providers benefit from automating administrative tasks, answering queries, disseminating information, tracking symptoms, and analyzing clinical data. Successful implementation requires prioritization, agility, measurement, expansion, realistic expectations, and choosing a results-oriented partner.