HIPAA Audits Still in Development Federal Officials Have Yet to Pick a HIPAA Audit Model
The Department of Health and Human Services' Office for Civil Rights has yet to firm up a timeline or a strategy for HIPAA compliance audits, which were mandated by the HITECH Act. That's the word from Adam Greene, senior health information technology and privacy specialist at OCR, who spoke Feb. 21 at the Healthcare Information and Management Systems Society Conference in Orlando.

OCR, which hired the consulting firm Booz Allen Hamilton to help design the auditing program, "is still working through what will give us the most bang for the buck," Greene said. For example, it's still weighing whether to audit a random sample of healthcare organizations or "going wider," he said.

Last May, another official at the Office for Civil Rights expressed hope the program would be launched by the end of 2011.

Greene also reiterated that the final version of rules to modify HIPAA privacy, security and enforcement rules will be issued at the same time as a final version of the breach notification rule. But again, he wouldn't say when those rules would be unveiled, other than to say they would be issued this year.

But he acknowledged that a rule governing how to provide an accounting to patients about disclosure of information from electronic health records to those outside of the organization that created them would likely be the first to be issued this year.

At the HIMSS Conference on Feb. 20, Lisa Gallagher, senior director of privacy and security at HIMSS, said that the disclosure rule would likely be issued in March, with the HIPAA modifications and the breach rule likely to come out in the second half of the year.

Compliance Advice

Although HIPAA and the HITECH Act don't explicitly mandate the use of encryption, Greene stressed that the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate." He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."

Greene also noted that in addition to the more than 200 reports of major health information breaches affecting 500 or more individuals reported to OCR so far, the office had received more than 14,000 reports of smaller breach incidents as of the end of 2010.

Because a majority of cases have involved the theft or loss of devices, he urged attendees not to "underestimate the value of physical and administrative safeguards"

And although the proposed HIPAA modifications would extend compliance requirements to business associates, Greene said that hospitals, clinics and insurers still should sign business associate agreements. "It's an important opportunity to clarify their roles," he said.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.





Around the Network