HIPAA audits

Prepare for HIPAA Audits and Fight Ransomware

Cybersecurity in healthcare has reached dizzying risk levels. Last month’s ransomware attack on Change Healthcare still reverberates, affecting thousands of providers and millions of patients, primarily those waiting for prescriptions. We still do not know the full extent of the damage to the healthcare sector, and experts believe the disruptions will continue for many weeks.

More needs to be done to bolster cybersecurity defenses. The U.S. Department of Health and Human Services (HHS) recently issued new guidance to help healthcare organizations understand and defend against cybercriminals’ bold, aggressive tactics targeting healthcare. HHS also plans to use HIPAA audits and increase enforcement to reinforce patient privacy and information security.

The updated guidance and the possibility of audits are opportunities, not problems. Most healthcare organizations need to make more cybersecurity preparations, and most need help doing so.

The HIPAA rules are a blueprint to protect your organization and prevent ransomware attacks.

Phase 3 Audits are on the Horizon

The Office for Civil Rights (OCR) director confirmed to Information Security Media Group (ISMG) last month that OCR plans to begin auditing regulated entities later this year. This will be OCR’s third phase of HIPAA audits since 2011.

The topics covered in the audits are not a mystery because OCR has provided much information about the questions and documents requested. These questions and requests are known as the “HIPAA Audit Protocols.” OCR has also published a report about the results of the last round of audits, known as Phase 2, conducted in 2016-2017.

Assume you will be audited and take action today to prepare.

Phase 2 Audits Revealed More Failures than Successes

The biggest failure of covered entities and business associates was the inability to conduct a HIPAA risk analysis and risk management.

Generally, covered entities demonstrated compliance in only two of the seven areas audited: (1) timeliness of breach notification and (2) prominent posting of the Notice of Privacy Practices on their websites.

However, covered entities did not comply with the individual right of access requirements and content of breach notification provisions. The report also explained that covered entities still struggle to implement HIPAA’s risk analysis and risk management requirements.

Business associates were also audited. OCR noted that the business associate audit ratings were similar to those of covered entities in security risk analysis and risk management.

Follow the HIPAA Security Rule

Using the Security Rule requirements is the fastest way to prepare for an audit and bolster cybersecurity defenses. Please use the latest guidance from the National Institute of Standards and Technology (NIST) and HHS and review the resources available at StopRansomware.gov.

Conduct a complete HIPAA risk analysis and refresh cybersecurity training.

Experts remind us that software vulnerabilities remain the #1 attack vector in healthcare, so all healthcare organizations need to patch vulnerabilities rapidly. As soon as you learn about a patch, implement it.

The HIPAA E-Tool® Solves the Audit Problem

Whether you need up-to-date policies, a risk analysis-risk management plan, or training, The HIPAA E-Tool® can help.

The HIPAA E-Tool® also contains all 180 audit protocols published by OCR after the Phase 2 audits. With clickable links from the audit questions to your policies, an audit is much easier to manage.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU