HIPAA Audit Prep and Breach Prevention

Attorney Points to Government Report for Insights
One good way to prepare for a HIPAA compliance audit is to read a recent government report that identified vulnerabilities that could lead to breaches, says attorney Timothy McCrystal.

Last year's report from the Department of Health and Human Services' Office of the Inspector General focused on technical vulnerabilities identified in seven audits, McCrystal, a HIPAA compliance expert, explains. These included: vulnerabilities related to wireless access, access control, audit control, integrity control, person or entity authentication and transmission security.

In an interview with HealthcareInfoSecurity, McCrystal reviews the details of the OIG report, written to call attention to a lack of HIPAA enforcement. The report, for example, found that some hospitals had not updated anti-virus software and had audit logging functions disabled.

"We are suggesting to our clients that they understand this report and develop a potential work plan and self-audit mechanism to go through their own operations in light of the findings within the report to see where they may have vulnerabilities," he says.

The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, plans to conduct about 150 HIPAA compliance audits in 2012 (see: HIPAA Audits Move Forward).

In the interview, McCrystal also:

  • Notes that the HHS Office for Civil Rights has stressed in resolution agreements following breaches and other HIPAA violations that staff training is essential. "I have participated in discussions with OCR on a resolution agreement, and a particular point of focus was that the organization not just have policies and procedures ... but that employees and others had been trained on them, understood them and were actually implementing them in their day-to-day responsibilities."
  • Offers advice on preventing breaches, emphasizing the need for an updated risk assessment and the use of encryption to protect data;
  • Outlines breach notification preparation steps, including creating a team to investigate incidents;
  • Provides advice on working with business associates to prevent breaches. He provides a long list of questions to ask vendors before entering a contract.
  • McCrystal is a partner in the healthcare group of the law firm Ropes & Gray. He works with healthcare clients on wide variety of regulatory issues, including HIPAA privacy and security rule compliance.

    Around the Network

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.