Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Beyond the Basics: What Covered Entities and Business Associates Need to Know About OCR Security Audits

Posted on November 20, 2014 I Written By

The following is a guest blog post by Mark Fulford, Partner in LBMC’s Security & Risk Services practice group.
The next round of Office for Civil Rights (OCR) audits are barreling down upon us, and many healthcare providers, clearing houses and business associates—even ones that think they’re prepared—could be in for an unpleasant surprise. If the 2012 round of OCR audits is any indication, the upcoming audits will most likely reveal that the healthcare industry at large is still struggling to figure out how to implement a compliant security strategy.

Granted, HIPAA regulations are not always as prescriptive as some might like. By design, HIPAA incorporates a degree of flexibility, leaving covered entities and business associates to make decisions about their own approach to compliance based on size, budget, and the risks that are unique to their operations.

But the first round of OCR audits indicated that many healthcare organizations had not even taken the first step in initiating a security compliance strategy—two-thirds of the covered entities had not performed a complete and accurate risk assessment to determine areas of vulnerability and exposure. Apparently, these entities were not necessarily unclear on HIPAA regulations; they simply had not yet made a serious effort to comply.

Out of the 115 entities audited, only 13 had no findings or observations (11%). This time around, the expectation will be that covered entities and business associates will have taken note of the 2012 audit findings, and that the effort to comply will be much improved.

All covered entities and business associates may be subject to an OCR audit. If you have not yet conducted an organizational risk assessment, now would be the time to do so. The OCR provides guidelines, and you can also reference the Office of the National Coordinator for Health Information Technology (ONC) and standards organizations like the National Institute of Standards and Technology (NIST). Additionally, the OCR has released an Audit Program Protocol to help you better prepare.

Five Key Areas to Address for OCR Audit Preparation

Based on our experience in the healthcare industry and consistent with the 2012 OCR Audit findings and observations, here’s how you can prepare for the upcoming OCR audits:

  • Know where your data resides. Many organizations fail to account for protected health information (PHI) in both paper and electronic forms. Between legacy systems (where data might be not well-indexed), printed copies (data could be abandoned in a desk) and mobile device use (data could be anywhere), large volumes of at-risk data is often floating around in places it shouldn’t be. In the first round of OCR audits, issues with security accounted for 60% of the findings and observations. To avoid falling into that trap, do a thorough inventory of your PHI and make decisions on how to handle and store it going forward.
  • Review business associate agreements. Business associates were not included in the 2012 OCR audits, but they will be this time around. If any of your business associates are found to be non-compliant, you will most likely be included in the subsequent investigation. Ask your accounting and IT departments to prepare a list of all third parties with whom you share PHI. Make sure your agreements are up-to-date and that your vendors are making good faith efforts to be in compliance. Due diligence can be accomplished through the use of questionnaires, your own audit, or a third-party assurance (e.g., a Service Organization Control (SOC) or a HITRUST report). And if you are a business associate, be aware that you, too, could be selected for an audit.
  • Establish a monitoring program. Your system, firewall and antivirus/antimalware software all regularly log system events. But beyond logging data, HIPAA dictates that you actively review the data to identify suspicious activity. If you haven’t already, assign an individual the task of reviewing your data for anomalies. Also, plan on conducting regular sweeps of the office to make sure that all printed documents are being stored and disposed of properly.
  • Identify breach reporting procedures. The Omnibus HIPAA rule has since updated the breach reporting requirements that were first outlined in HITECH. Make sure your breach reporting procedures are compliant with the most recent standards. While the 2012 OCR audits reported only 10% of their findings associated with the Breach Rule (as opposed to 30% and 60% associated with the Privacy and Security Rules respectively), failure to have a compliant breach reporting process could be a major problem if you are audited.
  • Schedule Staff Training. Most breaches are the result of human error. HIPAA requires that regular security training and security reminders be an integral part of your healthcare compliance strategy. Twenty-six percent of the Administrative Requirements findings and observations in the 2012 OCR audits involved training issues. Don’t assume that your employees know how to handle sensitive data. (Even if they do, it’s easy to forget.) Constant reminders create a culture of accountability that holds each individual responsible for protecting patients’ confidential health information.

While OCR audits give the OCR an opportunity to step up enforcement of HIPAA rules, anyone can register a complaint against you at any time. Thorough preparation for the upcoming OCR audits not only ensures that you will pass one if you are selected, it also protects you from breach, patient complaints, and general loss of public trust and good will.

About Mark Fulford
Mark Fulford is a Partner in LBMC’s Security & Risk Services practice group.  He has over 20 years of experience in information systems management, IT auditing, and security.  Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector.  He is a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).   LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.

HIPAA Fines and Penalties in a HIPAA Omnibus World

Posted on July 25, 2013 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Lately I’ve been seeing a number of really lazy approaches to making sure a company is HIPAA compliant. I think there’s a pandora’s box just waiting to explode where many companies are going to get slammed with HIPAA compliance issues. Certainly there are plenty of HIPAA compliance issues at healthcare provider organizations, but the larger compliance issue is going to likely come from all of these business associates that are now going to be held responsible for any HIPAA violations that occur with their systems.

For those not keeping up with the changes to HIPAA as part of the HITECH Act and HIPAA Omnibus, here are a couple of the biggest changes. First, HITECH provided some real teeth when it comes to penalties for HIPAA violations. Second, HIPAA Omnibus puts business associates in a position of responsibility when it comes to any HIPAA violations. Yes, this means that healthcare companies that experience HIPAA violations could be fined just like previous covered entities.

To put it simply, hundreds of organizations who didn’t have to worry too much about HIPAA will now be held responsible.

This is likely going to be a recipe for disaster for those organizations who aren’t covering their bases when it comes to HIPAA compliance. Consider two of the most recent fines where Idaho State University was fined $400k for HIPAA violations and the $1.7 million penalty for WellPoint’s HIPAA violations. In the first case, they had a disabled firewall for a year, and the second one failed to secure an online application database containing sensitive data.

Of course, none of the above examples take into account the possible civil cases that can be created against these organizations or the brand impact to the organization of a HIPAA violation. The penalties of a HIPAA violation range between $100 to $50,000 per violation depending on the HIPAA violation category. I’ll be interested to see how HHS defines “Reasonable Cause” versus “Willfull Neglect – Corrected.”

I’ve seen far too many organizations not taking the HIPAA requirements seriously. This is going to come back to bite many organizations. Plus, healthcare organizations better make sure they have proper business associate agreements with these companies in order to insulate them against the neglect of the business associate. I don’t see HHS starting to search for companies that aren’t compliant. However, if they get a report of issues, they’ll have to investigate and they won’t likely be happy with what they find.

The message to all is to make sure your HIPAA house is in order. Unfortunately, I don’t think many will really listen until the first shoe falls.

HIPAA Omnibus – What Should You Know?

Posted on March 26, 2013 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I had the great opportunity to sit down with HIPAA expert, Rita Bowen from HealthPort, at HIMSS 2013 and learn more about the changes that came from the recently released HIPAA Omnibus rule. The timing for this video is great, because today is the day the HIPAA Omnibus rule goes into effect. In the video embedded below, Rita talks about what you should know about the new HIPAA changes, the new business associate requirements, and restricting the flow of sequestered health information.