The audits by the Health and Human Services Department’s Office for Civil Rights (OCR) are slated to begin early this year.
Of the 350 entities selected, there will be 232 healthcare providers, 109 health plans, and nine healthcare clearinghouses. The business associates will include 25 Information Technology companies and 15 non-Information Technology companies all working within the healthcare industry. The OCR plans to audit 150 entities and 50 associates for compliance with security standards, 100 entities for compliance with privacy standards, and 100 for compliance with breach notification standards.
The OCR has been transparent on topics it will target. From the way patients access and obtain their data to breach notification policies, the OCR will cover a wide range of functions that are listed in detail on its site.
Content that was created by the OCR for the HHS website states “the use of health information technology continues to expand in health care. Although these new technologies provide many opportunities and benefits for consumers, they also pose new risks to consumer privacy. Because of these increased risks, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national standards for the privacy of protected health information, the security of electronic protected health information, and breach notification to consumers. HITECH also requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”
The top five issues which were found and resulted in the corrective actions were:
Impermissible Uses & Disclosures
As your organization reviews the policies, procedures and guidelines that support HIPAA and HITECH standards, the OCR will look into security, privacy and breach notification rules to analyze risk, safeguards and implementations, especially those associated with electronic health information and device encryption.
Smart healthcare executives will use the waiting period before audits to begin assessing risk, preparing staff and reviewing policies. You don’t need an audit to have a visit from the OCR.
Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com, Twitter @ judithconsult, LinkedIn -- www.linkedin.com/in/judithlindsay
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.