SlideShare a Scribd company logo

DHHS OCR steps up to increase HIPAA audits of Business Associates

David Sweigert
David Sweigert

The HHS Office of Civil Rights plans to conduct proactive HIPAA audits of 12,000 companies in 2014, including 3,000 business associates. While larger entities were the initial focus, SMBs are now also at risk. The OCR is under pressure to more strictly enforce HIPAA compliance. For many SMBs, compliance has been more of a marketing initiative than risk management, but the OCR emphasizes conducting risk assessments to show efforts to address vulnerabilities. SMBs are unlikely to face immediate audits but should take compliance seriously to avoid penalties if issues arise.

1 of 4
Leadership In The News Blog Ostendio Customers Contact Us New OCR HIPAA Audits Planned – Should Digital Health Providers Be Worried? by Grant Elliott , Founder & CEO, Ostendio FEATURES PRICING MARKETPLACE ABOUT US Page 1 of 4New OCR HIPAA Audits Planned - Should Digital Health Providers be worried? | Ostend... 4/7/2014http://ostendio.com/new-ocr-hipaa-audits-planned-digital-health-providers-worried/
Last week the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released its version of a Security Risk Assessment tool to “help guide health care providers in small to medium sized offices”. This comes after their announcement in February to target 12,000 companies for proactive HIPAA audits, a third of which will be Business Associates (BAs). All this activity follows criticism from some quarters that since introducing the Audit Protocols in 2011, the OCR has been largely ineffective at applying them.  With other agencies seemingly stepping in to fill the void, the OCR is under increasing pressure to step up their game and show they are able to effectively police the HIPAA regulations. So who will be affected? When the OCR conducted its first set of audits in 2011 to validate the Audit Protocol it mainly focused on large Covered Entities such as hospitals and health plans.   This time around it has indicated it will be targeting Business Associates as well, but it is probably still safe to assume it will be more focused on larger enterprises rather than small to medium sized businesses.  However, this does not mean SMBs should remain complacent as this exercise is part of a general acceleration of proactive auditing by the OCR and of course don’t forget should any company be guilty of a breach, then they immediately put themselves in the OCR strike zone. Until now, for many small and medium sized business, managing HIPAA compliance has been more of a marketing initiative than a true exercise in managing and protecting sensitive data.  This is not a criticism or a suggestion that these companies are trying to be deceptive, rather that there is an element of denial within the small to medium business community about compliance and a belief that, despite the changes in the law last year, they can continue to fly under the radar. This approach is driven by a lack of understanding about what they need to do to manage compliance. The reality is that while obtaining compliance is a never-ending journey, the first steps are relatively simple. The OCR comes down hardest on companies that have never conducted a risk assessment which is why they have now released their own Risk Assessment tool.  They are making it clear there is no excuse for not completing a risk assessment indicating a preference for companies that know where their vulnerabilities are to those that don’t. Sticking your head in the sand, or assuming that good IT practices are sufficient will only result in a stiffer penalty. It is much better to learn what you need to do and to get started down that path even if you can only do this slowly. As a smaller organization you are not expected to employ the same level of tools or resources to manage compliance but you are expected to know what compliance looks like and to have a plan to achieve it. Despite these recent announcements it is unlikely as a small to medium business that you need to be looking over your shoulder worried about a proactive OCR audit. That day may still come, but in the interim you need to be sure you are taking the appropriate actions just in case you find yourself under the microscope for less random reasons. And that starts by conducting your own Risk Assessment.   You can find more about how to manage your compliance at http://ostendio.com. Page 2 of 4New OCR HIPAA Audits Planned - Should Digital Health Providers be worried? | Ostend... 4/7/2014http://ostendio.com/new-ocr-hipaa-audits-planned-digital-health-providers-worried/
Resources: Security 101: Security Risk Analysis – Risk Assessment Compliance 101: MyVCM High Level Risk Assessment RESOURCES Request a Demo Recent Articles In The News Pricing Marketplace COMPANY About Us Ostendio Customers Press Privacy Policy Terms of Use CONNECT WITH US.. Twitter Feed Twitter LinkedIn Facebook Latest tweets RT @WebSecurityNews: Hackers can hijack $100,000 Tesla electric cars with simple password crack, experts warn http://t.co/NCgwMjBYen 5 days ago Follow @Ostendio Page 3 of 4New OCR HIPAA Audits Planned - Should Digital Health Providers be worried? | Ostend... 4/7/2014http://ostendio.com/new-ocr-hipaa-audits-planned-digital-health-providers-worried/
© 2014 Ostendio, Inc. All Rights Reserved Page 4 of 4New OCR HIPAA Audits Planned - Should Digital Health Providers be worried? | Ostend... 4/7/2014http://ostendio.com/new-ocr-hipaa-audits-planned-digital-health-providers-worried/

More Related Content

DHHS OCR steps up to increase HIPAA audits of Business Associates

  • 1. Leadership In The News Blog Ostendio Customers Contact Us New OCR HIPAA Audits Planned – Should Digital Health Providers Be Worried? by Grant Elliott , Founder & CEO, Ostendio FEATURES PRICING MARKETPLACE ABOUT US Page 1 of 4New OCR HIPAA Audits Planned - Should Digital Health Providers be worried? | Ostend... 4/7/2014http://ostendio.com/new-ocr-hipaa-audits-planned-digital-health-providers-worried/
  • 2. Last week the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released its version of a Security Risk Assessment tool to “help guide health care providers in small to medium sized offices”. This comes after their announcement in February to target 12,000 companies for proactive HIPAA audits, a third of which will be Business Associates (BAs). All this activity follows criticism from some quarters that since introducing the Audit Protocols in 2011, the OCR has been largely ineffective at applying them.  With other agencies seemingly stepping in to fill the void, the OCR is under increasing pressure to step up their game and show they are able to effectively police the HIPAA regulations. So who will be affected? When the OCR conducted its first set of audits in 2011 to validate the Audit Protocol it mainly focused on large Covered Entities such as hospitals and health plans.   This time around it has indicated it will be targeting Business Associates as well, but it is probably still safe to assume it will be more focused on larger enterprises rather than small to medium sized businesses.  However, this does not mean SMBs should remain complacent as this exercise is part of a general acceleration of proactive auditing by the OCR and of course don’t forget should any company be guilty of a breach, then they immediately put themselves in the OCR strike zone. Until now, for many small and medium sized business, managing HIPAA compliance has been more of a marketing initiative than a true exercise in managing and protecting sensitive data.  This is not a criticism or a suggestion that these companies are trying to be deceptive, rather that there is an element of denial within the small to medium business community about compliance and a belief that, despite the changes in the law last year, they can continue to fly under the radar. This approach is driven by a lack of understanding about what they need to do to manage compliance. The reality is that while obtaining compliance is a never-ending journey, the first steps are relatively simple. The OCR comes down hardest on companies that have never conducted a risk assessment which is why they have now released their own Risk Assessment tool.  They are making it clear there is no excuse for not completing a risk assessment indicating a preference for companies that know where their vulnerabilities are to those that don’t. Sticking your head in the sand, or assuming that good IT practices are sufficient will only result in a stiffer penalty. It is much better to learn what you need to do and to get started down that path even if you can only do this slowly. As a smaller organization you are not expected to employ the same level of tools or resources to manage compliance but you are expected to know what compliance looks like and to have a plan to achieve it. Despite these recent announcements it is unlikely as a small to medium business that you need to be looking over your shoulder worried about a proactive OCR audit. That day may still come, but in the interim you need to be sure you are taking the appropriate actions just in case you find yourself under the microscope for less random reasons. And that starts by conducting your own Risk Assessment.   You can find more about how to manage your compliance at http://ostendio.com. Page 2 of 4New OCR HIPAA Audits Planned - Should Digital Health Providers be worried? | Ostend... 4/7/2014http://ostendio.com/new-ocr-hipaa-audits-planned-digital-health-providers-worried/
  • 3. Resources: Security 101: Security Risk Analysis – Risk Assessment Compliance 101: MyVCM High Level Risk Assessment RESOURCES Request a Demo Recent Articles In The News Pricing Marketplace COMPANY About Us Ostendio Customers Press Privacy Policy Terms of Use CONNECT WITH US.. Twitter Feed Twitter LinkedIn Facebook Latest tweets RT @WebSecurityNews: Hackers can hijack $100,000 Tesla electric cars with simple password crack, experts warn http://t.co/NCgwMjBYen 5 days ago Follow @Ostendio Page 3 of 4New OCR HIPAA Audits Planned - Should Digital Health Providers be worried? | Ostend... 4/7/2014http://ostendio.com/new-ocr-hipaa-audits-planned-digital-health-providers-worried/
  • 4. © 2014 Ostendio, Inc. All Rights Reserved Page 4 of 4New OCR HIPAA Audits Planned - Should Digital Health Providers be worried? | Ostend... 4/7/2014http://ostendio.com/new-ocr-hipaa-audits-planned-digital-health-providers-worried/