Wednesday, November 9, 2011

OCR Begins HIPAA Compliance Audits

Six months ago, we blogged in our post, “More Hospital Audits to Find HIPAA Security Rule Violations,” that the Department of Health and Human Services Office for Civil Rights would step up their enforcement activity in response to a critique of HIPAA enforcement by the Office of the Inspector General.

As expected, OCR announced today that it will begin pilot audits, including site visits, this month at 20 covered entities to test compliance with HIPAA compliance and security rules, and that testing would expand to include 150 entities by the end of 2012. Any covered entity, regardless of size, is eligible for inclusion in these audits (business associates will be covered in future audits).

"Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem." - Department of Health and Human Services.

If you've been putting off a review of your security and compliance posture with respect to HIPAA, now is a good time to consider your response to an audit notification. Some steps to include in a review may include:

  • Taking an inventory of PHI wherever it resides -- all applications, systems, and devices, including end-user devices such as iPhones and iPads.
  • Reviewing access control policies to ensure that access to applications and systems holding PHI meet the standard of least privilege. Is access limited only to users with a need to know and only as necessary for their job function?
  • Auditing not only access to PHI, but also modifications and deletions. Do applications and systems log the information necessary to conduct an audit? Can you retrieve logged data in a timely manner?
  • Encrypting data at rest and in transit.

Of all the internal controls over PHI, auditing may be the among the most important yet usually receives short shrift. The sheer number of applications, systems, employees, and medical records may prove daunting. Most providers only have the headcount to audit a small portion of activity: access to records of VIPs, employees, friends or relatives, and a small sample of the rest of the patient record population. Compliance and privacy personnel may need to manage an audit console for each individual application or system, and event logging may be incomplete or misconfigured.

Demands on compliance and privacy personnel to prove their organizations' compliance with HIPAA privacy and security requirements will only increase. There is a need to provide auditing and reporting on access to systems holding PHI in a way that business managers and executives can quickly understand and that does not tax an already overworked compliance staff. The verification process should be made more effective and more efficient by making better use of data the organization already collects. The process should be improved without adding more hardware or software and by replacing manual activity whenever possible.

Veriphyr is a new SaaS Identity and Access Intelligence service that improves the use of data that you're already capturing. There's no need for new on- premise equipment or software and no burden on your IT, compliance, and privacy staff. Veriphyr accepts raw identity, privilege, activity, and business data from any source, in any format (including EMR/EHR formats), even if the data is incomplete or damaged.

Veriphyr's analytics technology correlates user activity with user identities and rights to give you a complete picture of access both to patient records and to any application, database, or network in your IT environment.

Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.

Source: OCR HIPAA Audit Program - U.S. Department of Health and Human Services

Did you like this article? Subscribe to our RSS feed, and click below to share!

No comments:

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at