Day Pitney LLP has launch of a new HIPAA Self-Assessment Tool just before of the second round of Dept. Health and Human Services’ Office for Civil Rights HIPAA-compliance audits.
The law firm, with approximately 300 attorneys in it its Connecticut, New Jersey, New York, and Washington, D.C. offices, has developed the HIPAA Self-Assessment Tool to help covered bodies with their final compliance efforts before the audits begin next quarter.
The HIPAA Self-Assessment Tool allows covered bodies to assess their organization for potential HIPAA violations, allowing them time to address any problems before they are found by auditors. Covered bodies should already have conducted risk assessments to identify security vulnerabilities, although recent review carried out by Office for Civil Rights have shown that dangers are often allowed to persist. Failures to conduct complete risk assessments have been cited in the settlements reached with covered bodies in 2015.James Bowers, Day Pitney director of Compliance Risk Services and former chief compliance officer at Aetna Inc., recently highlightedthat “Companies should really start self-audits as soon as possible to make sure they are in compliance with the HIPAA rules.”
The risk assessment must point out all security risks that exist at an organization, and efforts must be made to address those risks. So far this year, a number of covered bodies have been found to have missed the risks associated with portable storage devices and laptop computers. Others did not update software, change default passwords on medical devices, conduct comprehensive staff training programs on data privacy and security issues, and have not put in place appropriate administrative, technical, and physical safeguards to keep ePHI secure.
The HIPAA Self-Assessment Tool allows compliance officers, privacy officers, medical records managers, CISOs, and CIOs to make final preparations before the audits. While there can be no guarantee that use of the HIPAA Self-Assessment Tool will mean that an audit is passed, organizations can benefit greatly from availing of the HIPAA Self-Assessment Tool and can find gaps in their HIPAA-compliance programs. Even when considerable time, resources, and effort have been put into compliance, gaps may remain in place.
This phase of the HIPAA-compliance audit program has been delayed, although major progress has been made and OCR has revealed the next phase will start in early 2016. The audits will review compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR will look at specific areas of compliance and will hope to see evidence of HIPAA in action. The HIPAA Self-Assessment Tool is simple to use.
Susan Huntington stated: “Once a client inputs its information, the Tool provides an automated assessment summary”. She added, “If there are areas of noncompliance, our team is ready to work with the client to address and correct such areas.”
The aim of the audits is not to punish organizations for failing to adhere with Health Insurance Portability and Accountability Act Rules, but rather review whether covered entities have applied HIPAA Rules to safeguard ePHI and prevent data breaches.
While the initial round of compliance audits only saw Corrective Action Plans (CAPs) issued for non-compliance dangers discovered by auditors, OCR is not likely to be as lenient this time around. The Security Rule has been in operation since April 21, 2005, and the Privacy Rule since April 14, 2003. Covered bodies have therefore had plenty of time to bring policies and procedures up to the HIPAA standard.