Vice President, Enterprise Security and Risk
Chris Gray is the vice president for Optiv's enterprise security and risk practice with over 15 years of experience in information technology, information security and information risk management. He leads the team in achieving customer requirements with implementing information security, risk management and compliance management programs.
Worried About a Potential HIPAA audit? You Should Be.
For years the health care industry has dealt with the daunting challenge of understanding and determining how to comply with privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. To complicate matters, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently released a nationwide audit program to uncover violations, raising the stakes for HIPAA compliance.
Still, some health care entities have been slow in preparing for a potential audit, which can be partially attributed to the the lack of details around what requirements will be assessed during an audit. However, with the OCR’s publication of its audit protocol, the entire health care industry has been given a wakeup call.
All HIPAA covered entities, including hospitals, payers, and clearinghouses should anticipate an audit. Furthermore, if history repeats itself, those that have previously reported breaches or experienced consumer complaints to HHS should expect to receive a higher audit priority. Although HHS specifically excluded business associates from the first round of audits, they will be included in future audit cycles, according to the new criteria.
Here are the top three reasons why preparing for an audit is more critical than ever:
- The audit pilot program suggests that little advanced warning will be provided and documents will need to be produced within days. However, if proof that a gap analysis was completed and remediations are already being enacted, the auditors will likely show leniency.
- While only 115 audits will take place in 2012, the OCR has strongly hinted at an increase in enforcement activities and penalties for violations. A clear incentive for these increases is that all penalty revenue goes directly to the OCR to finance future enforcement efforts. Also, OCR Senior Advisor David Mayer indicated during his presentation at the 2012 American Health Lawyers Association Annual meeting in Chicago, Illinois that the audit program will continue through 2013 and 2014.
- There are financial penalties—one of the most obvious reason why meeting compliance guidelines is pertinent. Unlike Payment Card Industry (PCI) standards in which fines tend to start out small and increase slowly over time, initial HIPAA fines have been significantly larger and tend to stay that way. In just a few months, the OCR has issued millions of dollars in financial penalties as a result of non-compliance.
So act now—before it’s too late.