The long-awaited second phase of the Health Insurance
Portability and Accountability Act (HIPAA) audit program is finally
upon us. The U.S. Department of Health and Human Services'
Office for Civil Rights (OCR) recently announced that it has
selected Virginia-based FCi Federal as the vendor to conduct the
next phase of HIPAA audits. Further, OCR has begun compiling the
list of potential auditees for examination, which will include both
covered entities and business associates.
It is important that potential auditees maintain readiness for
audit examination because HIPAA noncompliance can be costly and
disruptive to an organization. Themost commondeficiency found by
OCR in its phase one audits was a failure of an organization to
conduct a security risk assessment to identify and mitigate risks
to protected health information (PHI), e.g., PHI on exposed
servers, laptops unencrypted, default passwords not changed,
security software not up-to-date, and inadequate training. As hard
as it is to believe, this "lesson learned" still has not
been implemented by many HIPAA entities, for as recently as a few
weeks ago OCR announced a $750,000 settlement with
Indiana-based Cancer Care Group, P.C., because it did not conduct
an enterprise-wide risk analysis and implement follow-on device and
media control policies to protect the transportation of unencrypted
PHI. OCR contends that a risk assessment could have identified the
control weakness.
To assist healthcare entities' readiness for a HIPAA audit, Day
Pitney LLP has developed several tools to facilitate compliance
with the HIPAA Privacy, Security, and Breach Notification Rules.
Information on Day Pitney's compliance tools is available on
request.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.