Learn From Others

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

The office for Civil Rights gathered information at the end of 2020 that is important for any covered entity or business associate that operates under HIPAA guidelines. Summarized in the U.S. Health and Human Service (HHS) HIPAA Audits Industry Report, this data should be regarded as a useful tool for any business that deals with HIPAA, and one that they can learn from.

While the report was just released, it is related to the 166 covered entities and 41 business associates with regard to HIPAA compliance and selected provisions that were audited in 2016 and 2017.

The good news is that the OCR found most of these successfully met the timeliness requirements in reporting breaches to individuals and also in prominently posting the Notice of Privacy Practices (NPP) on their websites. Where they failed was with regard to meeting the provisions that safeguarded the patient’s protected health information (PHI), providing appropriate content in the aforementioned NPP, and ensuring the individual right of access. In fact, 89% of covered entities failed to show this adequately. Additionally, they failed to “implement the HIPAA Security Rule requirements for risk analysis and risk management.”

With tools in place to assist these entities in complying with HIPAA, including online resources and guidance, there is likely little reason to overlook the occurrence of a breach that results in lack of preparation or attempted compliance. While having a full-time individual within a small business is sometimes not feasible to oversee HIPAA compliance, there are options available that would assist in meeting these needs to avoid fines and failures, in addition to securing your business.

Despite the pandemic bringing uncertainty and some confusion to 2020, the OCR remained diligent in its efforts to enforce HIPAA. They provided guidance on how to handle COVID-19 related issues that were focused on protected health information (PHI) and also an issued an FAQ for telehealth providers so effective and protected treatment could continue despite the changing landscape.

If you are providing guidance for healthcare providers and business associates, the OCR has given you a tool that establishes best practices for creating an IT inventory list. This is essential when it comes to understanding the whereabouts of electronic protected health information (ePHI) and how to maintain that under HIPAA law. Additionally, there are resources for mobile health technology and guidelines that review the regulations for hospitals and health systems that want to donate cybersecurity technology to physician practices.

This overview of available information that includes investigations into failures and fines (and how they were broken down), as well as resources and tools available to you as a member of the healthcare industry (either directly or in a support role), only emphasize that despite a year of uncertainty, the OCR’s commitment to strong human cybersecurity practices along with HIPAA compliance remains certain.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE