2014 was beset by cyberattacks and health care privacy breaches (let’s not forget Sony’s recent escapade), so it’s no surprise that cybersecurity regulations will be heightened in 2015. Earlier this month Jocelyn Samuels, Director of the Office for Civil Rights (OCR) at the Department of Health and Human Services, addressed the severity of the current health care IT security issues:
“We are certainly seeing a rise in the number of individuals affected by hacking [and information technology] incidents, as reported by entities under our breach notification requirements, especially those due to malware compromising the security of information technology resources,” wrote Samuels. Samuels asserted the agency’s proactive HIPAA enforcement priorities for 2015 and increased focus on ePHI security.
Working with medical practices and physicians on a daily basis with charge capture, it surprises me how nonchalant many providers are when it comes to HIPAA-compliance with patient data. Their goal is to care for their patients, and seemingly tedious regulations are often ignored. But a new phase of HIPAA audits is about to take place among medical organizations and will make the regulations that much harder to ignore.
Initial HIPAA-compliance audits occurred in 2011 and 2012 to determine if health care organizations were in compliance with security regulations around health care data. The roll out of phase 2 of the HIPAA audits was delayed in 2014, but the audits are expected to start in early 2015. HIPAA regulations apply to covered health care organizations as well as their business associates; those that hold or access sensitive patient data on a regular basis are eligible. Organizations found in violation of HIPAA regulations during the audits could face financial penalties.
If you haven’t done so already, and we sure hope you have, now is the time to implement a robust HIPAA-compliance policy. This includes adopting HIPAA-compliant software such as secure messaging and other data encryption techniques. It’s important to also test your systems for vulnerabilities that can leave sensitive patient information susceptible to breaches and malware. If you were to undergo a HIPAA audit today, would you pass?
Additional information for HIPAA audits, such as timing, scope, and guidelines, will be posted on the OCR website in the coming months.