HIPAA-Covered Entities Set for Compliance Audits

A survey recently released by Healthcare Information Security Today (HIST) shows many Covered Entities (CEs) are making the same compliance errors that were uncovered during the initial phase of audits.

It has been three years since the OCR finished the pilot phase of HIPAA compliance audits. The OCR found numerous violations of all HIPAA Rules when it viewed the results, and while healthcare data security standards have improved significantly since 2012, many Covered Entities (CEs) would still fail a compliance audit.

The OCR used the results of the intitial phase to develop a protocol for phase two, and the areas that CEs struggled to put in place will be specifically tested second time around. A number of healthcare suppliers could have a rude awakening on what compliance with HIPAA really means for them.

The HIST survey showed a surprising level of confidence among covered bodies. 80% of respondents said they were happy or somewhat confident in  relation to passing a compliance audit.

The pilot round of compliance audits showed many areas where organizations were failing to comply with the HIPAA Security Rule, in particular, the requirement to complete a risk analysis. Organizations had either failed to complete a risk analysis, or failed to identify all the security vulnerabilities that were present.

The answers from those questioned on the HIST survey indicate the level of compliance has improved greatly during the past three years; however a quarter of respondents said they had not finished a risk assessment in the past 12 months. HIPAA demands that risk analyses are conducted; it is not a one time duty. No healthcare IT environment remains the same for one year, and new security weaknesses can all too easily develop. The failure to monitor for danger on an ongoing basis is a clear violation of the Security Rule.

Technologies exist to securely manage PHI, yet many organizations are failing to put those technologies to use. Data encryption is still not being utilized to secure data, even on high risk devices such as portable storage drives and laptop computers. BYOD schemes have been used, but only 50% of covered bodies insist on a secure messaging app or other form of data encryption on the devices.

The potential HIPAA breaches do not end there. The next round of compliance audits will test compliance with the HIPAA Omnibus Rule of 2013, which brought Business Associates (BAs) under the privacy and security regulations. The OCR will be auditing BAs during the second phase of audits and they too must be able to show compliance with HIPAA Rules.

Rather worryingly, even some of the fundamental HIPAA Rules are not being adhered to  according to the survey. Approximately a 25% of CEs say they have not obtained proof that their BAs have conducted a security audit and a similar percentage not having obtained a copy of their BAs security policies.

The 2015 Healthcare Information Security Today survey was carried out online and the results were compiled from almost 200 surveys completed by CISOs, CIOs and senior healthcare leaders. Surveys were submitted between December, 2014 and January, 2015. The full report can be viewed here.