The HITECH Act has shifted the responsible for enforcing the HIPAA Security rule from the Centers for Medicare & Medicaid Services (CMS) to Office for Civil Rights (OCR) which is a part of the Department of Health and Human Services. OCR has been enforcing the HIPAA Privacy Rule since 2003. OCR has been gearing up to start HIPAA Security Rule enforcement. They are working with the consulting company Booz Allen Hamilton to determine the model they are going to be using and how fast they can implement the model.
Susan McAndrew, OCR’s deputy director for privacy said in an interview with HealthcareInfoSecurity.com that:
- The audits likely will be outsourced and not conducted by OCR staff.
- Security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical and physical safeguards.
- Audits for compliance with the privacy rule will focus on organizations’ efforts to uphold individuals’ rights, such as their right to access their own medical records.
It seems clear that a major part of any HIPAA Security Audit will be based on how a practice conducted their risk assessment. As I mentioned in this article, I believe the Risk Assessment is at the core of the HIPAA Security Rule.
McAndrews also mentions the importance of using encryption technology on mobile devices. She goes on to say:
I am continually surprised by the fact that you actually have to lose your laptop before the light bulb goes on and you say, “Gee, maybe I need an encryption policy here.” You know, you are a lot better off if you can learn from your neighbor. Don’t let it happen to you; encrypt those things now and don’t wait until they are lost to suddenly decide, “Gosh that’s probably a good idea.” And the other lesson I hope people learn is that it is not good enough just to have the policy or to have that light bulb go on. Once you have established that as your policy, you really have to make sure that you train people and it is part of your culture to ensure that encryption happens because, two weeks after you issue the e-mail saying this is what you have to do, life takes over and people think it is too much trouble or they have to go see an IT person and they don’t have time and they walk out the door without getting their laptop encrypted and bad things happen. So it is to have a good policy and enforce that policy so that we don’t have to enforce that policy.
Susan McAndrews give some good insights into what is going to occur with HIPAA Security Audits. The audits will most likely begin by the end of the year. They will most likely be outsourced and will not be handled by OCR personnel. A major focus of the HIPAA Security Audit will be based on a Risk Assessment and how a practice implements the Administrative, Technical and Physical safeguards. In addition, her advice is to start using encryption on all mobile devices.
The writing is now on the wall. Now is the time to start thinking about HIPPA security. It does not matter what phase you are in regarding electronic personal health information (EPHI). If you are researching EMRs a major concern should be on how the EMR fits into your overall security strategy. If you have already implemented an EMR then you should make sure that you have completed your risk assessment and that you have implemented the steps required to protect your EPHI.
Update: OCR has published a paper with guidelines to performing a Risk Analysis.
Related posts:
[...] June 15, 2010 at 9:50 am In this article I discussed that the Office for Civil Rights (OCR) is getting ready to begin HIPAA Security Audits. [...]