Random HIPAA Audits are Coming

By Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions
Twitter: @HIPAASolutions
LinkedIn: Our HIPAA Chat Group
Host of HIPAA ChatJoin us on the next broadcast.

Last week, in Washington, D.C., NIST and the Department of Health and Human Services’ Office for Civil Rights (OCR) held their 8th annual Safeguarding Health Information: Building Assurance through HIPAA Security seminar. Here are some of the major takeaways and big announcements that came out of that conference.

Random HIPAA Audits Are On the Way
Jocelyn Samuels, Director of the HHS Office for Civil Rights, announced that OCR will launch a campaign of random HIPAA audits later this year. This time, OCR is partnering with FCi Federal to provide support management services for the OCR’s desk and on-site audits. Hopefully, this means that OCR will find security gaps before identity thieves do. Expect these audits to be more difficult to pass than usual, since Samuels said that the audits will specifically focus on common weak points in HIPAA compliance.

The Good News
Fortunately, the seminar itself is meant to help covered entities be HIPAA compliant. NIST has even posted the seminar’s agenda and resources online for free. A major recurring theme throughout the seminar was the need for healthcare organizations–or at least their security divisions–to cooperate; especially in regards to warning each other about recent cyber threats.

The Resources
Here are the links to each of the presentations shown at the seminar, along with summaries of what they cover.

  • Threat Intelligence for Dummies (Karen Scarfone, Principal Consultant at Scarfone Cybersecurity) As co-author of the Threat Intelligence for Dummies ebook, Scarfone offered information on threat intelligence (TI), and how to use it regardless of which vendors you employ. She discussed what TI is and how to gather, appraise, and use your TI. She also described the pros and cons of various threat mitigation strategies and explored ten criteria to use when considering TI solutions. She even provided a link that gave access to a free copy of her ebook.
  • Collaborative Approaches for Medical Device and Healthcare Cybersecurity (Suzanne Schwartz, the FDA Director Emergency Preparedness/Operations and Medical Countermeasures) Schwartz gave a presentation about the FDA’s role in cybersecurity and what it plans to do to ensure that online medical devices, such as insulin pumps, have true cybersecurity.
  • Interoperability Roadmap and ONC Updates (Lucia Savage, Chief Privacy Officer at HHS Office of the National Coordinator for Health IT) Savage’s presentation is an excellent introduction on how to protect EHRs. Her presentation not only encourages healthcare organizations to share security practices and warn each other about cyber threats, but also explains why this is an important practice. For example, in an interconnected network of healthcare systems that allows for multiple users, a single breach can spread rapidly from one system to another. She also encourages healthcare organizations to borrow best practices from other industries.
  • Business Associate Liability and Other Issues (attorneys Adam Greene, Amy Leopard, and James Wieland) This trio of highly qualified HIPAA legal experts gave a comprehensive guide to working with business associates. They included subjects such as how to assess a business associate, whether offshoring raises concerns, cyber insurance issues, and the role of the Federal Trade Commission in health information security.
  • Building a Robust Data Security Plan (Cris V. Ewell, PhD, Chief Information Security Officer at Seattle Children’s Hospital) This presentation explained why we need new security practices, what goals to set for security practices, and recommendations for some strategies to meet those goals.
  • Start with Security: A Guide for Business (Cora Han, Senior Attorney for the Federal Trade Commission’s Division of Privacy and Identity Protection) This is a brief walk-through of the FTC’s new Start With Security business education initiative. To see this information in more detail, follow the link to the written business guide.
  • Securing Electronic Health Records on Mobile Devices (Gavin O’Brien, Computer Scientist for NIST National Cybersecurity Center of Excellence) Although self-promotional, the presentation explains why the National Cybersecurity Center of Excellence exists. It offers a practice guide for managing interactions between EHR and mobile devices and discusses the NIST’s new wireless infusion pump project, which is intended to address the security issues associated with these medical devices.

Source: New HIPAA Compliance Audit Details Revealed – GovInfoSecurity

This article was originally published on Health Security Solutions and is republished here with permission.Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, HealthcareNOWradio.com. Learn more about HIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.