I think it’s only fitting as we come upon October and the month of scary things to talk about what healthcare providers have been dreading for some time now… the HIPAA audits are coming. According to the Department of Health and Human Services, the first-ever round of HIPAA audits are scheduled to kick off in October. The agency apparently is also working on a plan for healthcare organizations to deal with the growing surge in cyber threats (more to come on this soon). The directors of the Office of Civil Rights (OCR) and Director for Health Information Privacy provided the update on the HIPAA enforcement activities on September 15th pushing a pretty tight deadline for the 40 to 50 business associates who will be selected for the “desk” or remote audit. While this is the first round of actual audits, this was foreshadowed earlier this year when organizations were contacted by the OCR requesting verification of contact information “in case” they were chosen for an audit. This time there will be no warning. Once the organizations are selected there will be a webinar where they will learn what the audit entails and what they need to produce. After the webinar, they will have ten days to submit detailed documentation about specific areas of HIPAA compliance.
In an article on govinfosecurity.com, David Holtzman, privacy attorney and vice president of compliance at security consultancy CynergisTek, said "The time to prepare for the audits is now.” Organizations should be prepared to show the policies and procedures that they have in place for notifying their covered entities for a hypothetical breach along with any examples of how or when they have done so for any actual breaches. Most experts feel that this round of audits is most likely nothing more than information gathering to set standards and benchmarks rather than for enforcement of policies. However, if you are chosen for this round of audits you do have a true challenge ahead. This may only be information gathering but in order to set a true standard for the industry you should be thoughtful about how you respond. This round is built around a hypothetical breach but it is also to prepare you and make sure you have procedures in place that will both alert you to when a breach happens and guide you through remediation.
Why should you worry?
It is no secret that cyber-attacks have grown exponentially in recent years and healthcare organizations are some of the hardest hit due to the value of PHI on the black market. For example, ransomware attacks are up 300% from 2015 and this is just one form of the new cyber threats that healthcare organizations are facing. While some are focusing their worry on the audit, what this should enable you to do is to focus on the real risk in your organization and illuminate how prepared the industry is and will inform and influence future compliance regulations.
What to do? I
f you haven’t already, start now. There are already several guidelines in place to enforce compliance for HIPAA. Make sure that you are following these suggested measures such as:
• Conducting an enterprise wide security assessment to know where your risks lie.
• Workforce training – Arm your team with information on phishing attacks, malware, and what to do if they think they have been compromised.
• Limit access to PHI – Know where your PHI lives and who has access and then determine if those actors truly need access.
• Patch known vulnerabilities – There are over 700,000 known vulnerabilities in the world and that number is growing every day. Learn which of these are leaving you most at risk and prioritize patching. Being prepared is about more than just passing the audit or making it through this first round. If you are protected against the real risk in your organization, compliance will happen.