by Ryan Ozawa
Article filed in

Healthcare industry audit affirms focus on hacking, access

by Ryan Ozawa

Healthcare Industry Audit Affirms Focus on Hacking, Access - Paubox

A comprehensive study of HIPAA compliance across the healthcare industry, conducted by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), has found some good news and some bad news for healthcare providers which we will outline below.

Why does OCR conduct these audits?

In 2009, the U.S. Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was designed to promote the adoption and meaningful use of health information technology.

The HITECH Act included a requirement for “periodic audits to ensure that covered entities and business associates . . . comply with such requirements.”

These audits cover compliance with the HIPAA Security Rule (subpart C)  and the HIPAA Privacy Rule (subpart E). As we’ve covered previously, HIPAA includes two primary components:

  • HIPAA Privacy Rule: Covers the use and disclosure of protected health information (PHI) and the standards that must be upheld for individuals to understand and control how their individually identifiable health information is used.
  • HIPAA Security Rule: Establishes required security standards to protect electronic protected health information (ePHI), which is health information or records that are held or transferred in electronic form.

HITECH itself addresses the privacy and security concerns associated with the electronic transmission of health information by strengthening the civil and criminal enforcement of HIPAA rules.

SEE ALSO: The Complete Guide to HIPAA Violations

What did the latest audit find?

Although released this month, this latest report covers audits performed in 2016 and 2017. During that timeframe, the OCR looked at 166 covered entities and 41 business associates and summarized its findings.

First, the good news:

  • Most covered entities met the timeliness requirements for providing breach notifications to affected individuals.
  • Most covered entities with websites satisfied the requirement to prominently post their Notice of Privacy Practices.

SEE ALSO: How to Make Sure You Have a HIPAA Compliant Website

Then, the bad news:

  • Most covered entities failed to provide all of the required content for a Notice of Privacy Practices.
  • Most covered entities failed to provide all of the required content for breach notifications to affected individuals.
  • Most covered entities failed to properly implement right of access requirements.
  • Most covered entities and business associates failed to implement the HIPAA Security Rule’s requirements for risk analysis and risk management.

SEE ALSO: Insufficient Risk Analysis Results in Data Breach and $400,000 Settlement

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

Free Whitepaper “Barriers to Secure Communication”

What does this audit mean for health care organizations?

The audit helpfully highlights two areas where the OCR has increased its focus and enforcement activities: hacking and the Right of Access initiative.

SEE ALSO: What You Don’t Know About Cybersecurity Can Put Your Business at Risk

Dealing with hackers has been a priority in health IT for years, especially attacks via email which often utilize social engineering to take advantage of uninformed employees.

On this front, cybersecurity training is a key way to make sure your employees aren’t vulnerable to attack, as well as investing in a HIPAA compliant email solution with inbound security such as Paubox Email Suite Plus.

As for the Right of Access initiative, which was launched last year, the OCR is ensuring that patients have ready and reasonable access to their own health records.

As patient requests for their medical data become more common, it’s important to develop an efficient and secure way to fulfill them. Securely automating patient communications with tools like the Paubox Email API can help.

And on the topic of risk management, the HHS provides a Security Risk Assessment Tool, and even published a 20-page guide providing the “6 Basics of Risk Analysis and Risk Management.”

Try Paubox Email Suite Plus for FREE today.