According to the results of an HCPro survey, healthcare providers and other HIPAA-covered entities are simply not prepared for a compliance inspection; in fact, preparation for HIPAA compliance audits has not even been properly started by many healthcare providers.
The survey, conducted on 400 healthcare professionals, shows that only 17% of respondents said they fully prepared for the OCR audits. Most organizations have started to prepare for the HIPAA compliance audits; but an alarming 70% of organizations surveyed said they were only “somewhat prepared.”
Unfortunately, since the Department of Health and Human Services’ Office for Civil Rights has now started auditing HIPAA-covered entities to check for compliance with the Privacy, Security and Breach Notification Rules of HIPAA, it is highly probably that the OCR will discover numerous HIPAA violations before the current round of audits is completed. If preparation for HIPAA audits has not yet started, covered entities may be in for a rude (and potentially expensive) awakening
Rude Awakening for HIPAA-Covered Entities?
The purpose of the pilot round of compliance audits is to identify best practices, which will help the OCR with the issuing of future guidance for covered entities. The audits will also give the OCR an indication of the current state of healthcare cybersecurity defenses, and how well prepared healthcare organizations will be if they suffer a data breach.
This first round of HIPAA compliance audits is expected to highlight many data security and patient privacy violations, although it is not yet known whether the OCR will be issuing fines if violations are uncovered. However, while assistance may be given to help covered entities comply with HIPAA, if sufficient efforts have not been made to at least try to be compliant, fines are likely to follow.
Yet to Prepare for the HIPAA Compliance Audits?
Only a small selection of healthcare organizations has been selected for audit on HIPAA compliance, so there is a relatively low probability of being selected for audit; however, the OCR is likely to make the audit program a permanent ongoing series of assessments, increasing the likelihood of an inspection of policies and procedures. The OCR also investigates all data breaches (affecting more than 500 individuals). The agency may also take the decision to conduct a full compliance audit if a breach of Protected Health Information (PHI) occurs. Often breaches stem from a failure to comply with HIPAA regulations.
In recent months there have been many reports of violations of HIPAA Rules, including failing to secure healthcare records, not arranging for their secure destruction when they are no longer required, and even failing to notify individuals they have been affected by a PHI breach. Theft of equipment containing PHI is on the increase, and hackers are breaking into healthcare systems to steal patient data and Social Security numbers with increasing regularity.
With the probability of suffering a data breach at an all-time high, it is only a matter of time before a data breach is actually suffered, which means compliance policies and procedures will be placed under scrutiny. It is therefore essential that all covered entities start preparations for a HIPAA audit now. If a financial penalty is to be avoided that is.