Preparing for Upcoming HIPAA Compliance AuditsAttorney David Holtzman on Steps to Take Now
To prepare for the resumption of HIPAA compliance audits next year, organizations need to do much more than document a risk analysis and mitigation steps. For example, they also must be ready to demonstrate how they're complying with the revised HIPAA breach notification rule as well how they're providing patients electronic access to their records, says attorney and regulatory expert David Holtzman.
In the upcoming audits, the Department of Health and Human Services' Office for Civil Rights "will be looking at how organizations assess [incidents] and notify individuals regarding incidents that are reportable breaches," Holtzman says in an interview with Information Security Media Group. The former OCR official who's now vice president of compliance at the consultancy CynergisTek made his comments during the recent HIPAA security conference hosted by OCR and the National Institute of Standards and Technology.
The HIPAA Omnibus Rule's updated breach notification requirement provides more objective guidelines for how organizations must assess whether breach notification is required in security incidents, compared with the previous "harm standard" that looked at whether an incident was likely to cause financial, reputational or other harm to an individual.
"We would also expect [OCR] to query organizations on their processes and policies ... on how they provide patients access in an electronic format to their health records," Holtzman notes. That's another requirement under HIPAA that's frequently a point of contention between covered entities and individuals, OCR officials say.
HIPAA Audit Schedule
At last week's HIPAA conference, OCR officials indicated that the random audits will resume in 2016, and that a contractor, FCi Federal, was has been hired to assist in the program, which will consist mostly of desk - or remote audits - with a smaller number of onsite audits (see Exclusive: OCR's McGraw on Timing of HIPAA Audits).
Covered entities and business associates need to get ready for possible audits now, Holtzman says. "The last thing you want to do is get an audit letter from OCR and not be prepared for it," he says.
Holtzman says he expects OCR will begin sending out roughly 1,200 audit survey letters to covered entities and business associates within the next 30 to 60 days, and that OCR will likely conduct about 300 audits selected from those surveyed, with a particular focus on smaller entities. That's because OCR's pilot HIPAA audit program in 2012 found that of the 115 covered entities scrutinized, smaller organizations struggled the most with HIPAA compliance issues, "especially the security rule," he says.
In the interview (see audio link below photo), Holtzman also discusses:
- The process that OCR likely will use to choose organizations for HIPAA audits;
- Why the upcoming revised HIPAA audit protocol from OCR will be important for organizations to study, and what's likely to be part of the protocol;
- The impact of a recent court ruling in the Federal Trade Commission's lawsuit against hotel chain Wyndham Worldwide Corp. that upheld the FTC's authority to play a key cybersecurity regulatory role. He also discusses the FTCs case against medical testing laboratory LabMD.
Before joining CynergisTek as vice president of privacy and security compliance services, Holtzman was a senior adviser at OCR, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. Earlier, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.