HIPAA Audits Still in Development

Federal Officials Have Yet to Pick a HIPAA Audit Model

By , February 22, 2011.
HIPAA Audits Still in Development

T

See Also: Advances in Application Security: Run-time Application Self Protection

he Department of Health and Human Services' Office for Civil Rights has yet to firm up a timeline or a strategy for HIPAA compliance audits, which were mandated by the HITECH Act. That's the word from Adam Greene, senior health information technology and privacy specialist at OCR, who spoke Feb. 21 at the Healthcare Information and Management Systems Society Conference in Orlando.

OCR, which hired the consulting firm Booz Allen Hamilton to help design the auditing program, "is still working through what will give us the most bang for the buck," Greene said. For example, it's still weighing whether to audit a random sample of healthcare organizations or "going wider," he said.

Last May, another official at the Office for Civil Rights expressed hope the program would be launched by the end of 2011.

Greene also reiterated that the final version of rules to modify HIPAA privacy, security and enforcement rules will be issued at the same time as a final version of the breach notification rule. But again, he wouldn't say when those rules would be unveiled, other than to say they would be issued this year.

But he acknowledged that a rule governing how to provide an accounting to patients about disclosure of information from electronic health records to those outside of the organization that created them would likely be the first to be issued this year.

At the HIMSS Conference on Feb. 20, Lisa Gallagher, senior director of privacy and security at HIMSS, said that the disclosure rule would likely be issued in March, with the HIPAA modifications and the breach rule likely to come out in the second half of the year.

Compliance Advice

Although HIPAA and the HITECH Act don't explicitly mandate the use of encryption, Greene stressed that the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate." He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."

Greene also noted that in addition to the more than 200 reports of major health information breaches affecting 500 or more individuals reported to OCR so far, the office had received more than 14,000 reports of smaller breach incidents as of the end of 2010.

Because a majority of cases have involved the theft or loss of devices, he urged attendees not to "underestimate the value of physical and administrative safeguards"

And although the proposed HIPAA modifications would extend compliance requirements to business associates, Greene said that hospitals, clinics and insurers still should sign business associate agreements. "It's an important opportunity to clarify their roles," he said.

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE NIST Seeks to Raise Its Cryptographic Profile

It's barely a drop in the bucket, but President Obama is earmarking $7 million of his nearly $4...

Latest Tweets and Mentions

ARTICLE NIST Seeks to Raise Its Cryptographic Profile

It's barely a drop in the bucket, but President Obama is earmarking $7 million of his nearly $4...

The ISMG Network