Beginning this month, the HHS/OCR will begin spot-check audits, as required under the HITECH Act. I already mentioned this several months ago, when I pointed out the irony in selecting KPMG as the auditor: KPMG caused a data breach, as a business associate, that involved two covered entities. No doubt auditors will be looking to see if disk encryption like AlertBoot is used where appropriate. After all, it's the only surefire way of protecting against the leading cause of HIPAA data breaches: the loss or theft of portable electronic devices.
Beginning this month, the HHS/OCR will begin spot-check audits, as required under the HITECH Act. I already mentioned this several months ago, when I pointed out the irony in selecting KPMG as the auditor: KPMG caused a data breach, as a business associate, that involved two covered entities.
No doubt auditors will be looking to see if disk encryption like AlertBoot is used where appropriate. After all, it's the only surefire way of protecting against the leading cause of HIPAA data breaches: the loss or theft of portable electronic devices.
In November, twenty covered entities will be contacted for audits, out of a total of 150 subjects. These initial audits will be used to adjust and review the process. Based on a helpful chart at the hhs.gov site, it looks like the initial audits will finish at the end of April, and the updated audits will be used until the end of December 2012. (I note that they forgot to mark March 2011.) Each individual audit is expected to take between 3 to 10 business days on site, with selected covered entities being notified 30 to 90 days prior to the visit. Funny. I was under the impression that "spot check" always implied "without warning" but I guess not. Anyhow, it really shouldn't matter: deploying complex security measures, technology as well as policy, is not something that can be realistically done in a couple of months. (Although, I should point out that parts of it could be. For example, our own AlertBoot computer disk encryption service can deploy encryption to hundreds of laptops and desktop computers in a given day, beginning from day one. It's not how we would recommend that you approach deployments -- a little testing is always recommended before deploying encryption -- but it can be done). It is implied that Business Associates will be spared from the initial round of audits.
In November, twenty covered entities will be contacted for audits, out of a total of 150 subjects. These initial audits will be used to adjust and review the process. Based on a helpful chart at the hhs.gov site, it looks like the initial audits will finish at the end of April, and the updated audits will be used until the end of December 2012. (I note that they forgot to mark March 2011.)
Each individual audit is expected to take between 3 to 10 business days on site, with selected covered entities being notified 30 to 90 days prior to the visit. Funny. I was under the impression that "spot check" always implied "without warning" but I guess not. Anyhow, it really shouldn't matter: deploying complex security measures, technology as well as policy, is not something that can be realistically done in a couple of months.
(Although, I should point out that parts of it could be. For example, our own AlertBoot computer disk encryption service can deploy encryption to hundreds of laptops and desktop computers in a given day, beginning from day one. It's not how we would recommend that you approach deployments -- a little testing is always recommended before deploying encryption -- but it can be done).
It is implied that Business Associates will be spared from the initial round of audits.
As the hhs.gov site notes, "audits are primarily a compliance improvement activity...should an audit indicate a serious compliance issue, OCR may initiate a compliance review to address the problem." But, fear not: OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. Unlike the "Wall of Shame," it looks like the Department of Health and Human Services and the Office for Civil Rights is quite bent upon not revealing to the public what happens in these audits. On the other hand, there's no stopping a Senator or Congressman from going public with the results, is there?
As the hhs.gov site notes, "audits are primarily a compliance improvement activity...should an audit indicate a serious compliance issue, OCR may initiate a compliance review to address the problem." But, fear not:
OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.
Unlike the "Wall of Shame," it looks like the Department of Health and Human Services and the Office for Civil Rights is quite bent upon not revealing to the public what happens in these audits. On the other hand, there's no stopping a Senator or Congressman from going public with the results, is there?
Encryption software is a valuable tool when it comes to protecting patient data and complying with many aspects of HIPAA and HITECH. However, one should be reminded that encryption is not required. You can still be in compliance with the Security Rule without using data encryption on your computers. Of course, if something happens to that computer and you didn't use encryption software to protect PHI, then the Breach Notification Rule kicks in and you're required to contact affected patients. But, as far as I know, you're still OK under the Security Rule, so the OCR can't go around fining you a million bucks. On the other hand, there's nothing preventing your patients from taking a civil action.
Encryption software is a valuable tool when it comes to protecting patient data and complying with many aspects of HIPAA and HITECH. However, one should be reminded that encryption is not required. You can still be in compliance with the Security Rule without using data encryption on your computers.
Of course, if something happens to that computer and you didn't use encryption software to protect PHI, then the Breach Notification Rule kicks in and you're required to contact affected patients. But, as far as I know, you're still OK under the Security Rule, so the OCR can't go around fining you a million bucks.
On the other hand, there's nothing preventing your patients from taking a civil action.
Related Articles and Sites:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.htmlhttp://www.healthcareitnews.com/blog/ocr-hipaa-audits-finally-kick