In Part 2 of this three-part series, we took a deep look into the preliminary HIPAA Audit findings and observed the most common infractions identified by OCR. Specifically, security gaps accounted for the majority of results, with the lack of risk assessments and inadequate mobile device security being two of the most cited weaknesses. Fortunately for those selected in the 2012 pilot phase of the audits, OCR was primarily focused on using the exercise to educate covered entities of serious HIPAA issues. That is unless a provider exhibited willful ignorance of the HIPAA regulations, criminal and civil penalties were mostly left off of the table. Unfortunately, when the audit program extended in 2014, this free pass will no longer be available. To repeat: If your organization is audited in the future and is shown to be violating HIPAA, there will be severe penalties issued.
However, providers still have some time to tighten up processes before the inevitable HIPAA audit. Conscientious covered entities who pay heed to OCR’s recommendations and respond accordingly will help themselves build up the most goodwill. So what should they do?
Above all else, covered entities should conduct frequent (at least annually) internal risk assessments. In addition to being required under the HIPAA Security Rule, conducting a regular risk assessment is a great practice to get into; by systematically observing all of the potential places where PHI can be accessed and developing a plan to correct any gaps, a provider dramatically decreases the chances that its patients’ information can fall into the wrong hands. HHS has provided guidance on how to conduct a risk assessment. This isn’t something that needs to be outsourced to pricey consulting firms; rather, providers are encouraged to self-administer their assessments to analyze their security risks adequately.
Performed correctly, a risk assessment should allow a covered entity to uncover weaknesses in their HIPAA compliance that were also highlighted by OCR in the pilot audits. One such concern is how an entity limits PHI from being stored on unsecured mobile devices. If you are a hospital administrator who allows provider employees store pieces of patient information on laptop computers, removable hard drives, smartphones, or any other mobile device, OCR is going to ask you to provide your device and media control documented plan. As with any other required implementation specification, the absence of this document will lead to strict monetary penalties.
In August, OCR is expected to come out with some additional guidance for those who will be subject to a HIPAA audit in the future. You can be sure that they will once again underscore the importance of putting together a risk assessment and an associated documented plan. The HIPAA enforcement agency does not expect complete HIPAA compliance on each and every regulation buried in the thousands of pages of text, but it does expect all entities to have the foundational HIPAA compliance element of a risk assessment in place. Conducting regular assessments will take providers a very long way in passing the dreaded HIPAA audit.
Krishna Kurapati is the Founder and CEO of QliqSOFT. He has more than two decades of technology entrepreneurship experience. Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges using artificial intelligence (AI)-powered digital technologies across the U.S. healthcare system.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Reduce call volume and improve efficiency with patient secure texting. Studies show that the majority of Americans own smartphones and prefer mobile messages over emails or calls. Secure messaging platforms enable healthcare organizations to save time and improve patient care by answering FAQs, disseminating information, automating administrative tasks, and supporting population health initiatives.
Discover how digital platforms are revolutionizing community health centers (CHCs) by alleviating staff burnout through automated messaging, customizable patient engagement, and care coordination. By leveraging chatbot-based digital automation, CHCs can reduce manual tasks, increase patient satisfaction, close gaps in care, and improve staff work-life balance. These platforms enable secure texting, virtual visits, and efficient communication, ensuring patients receive timely and personalized care while allowing staff to focus on patient needs and streamline workflows.
Discover the significance of conversational AI in healthcare as it replicates natural interactions between humans and machines, offering personalized and interactive patient experiences. Healthcare providers benefit from automating administrative tasks, answering queries, disseminating information, tracking symptoms, and analyzing clinical data. Successful implementation requires prioritization, agility, measurement, expansion, realistic expectations, and choosing a results-oriented partner.