The Inspector General in the Health and Human Services Office for Civil Rights (OIG, HHS OCR) reported that OCR is not effectively auditing HIPAA covered entities. A covered entity includes doctors and hospitals that have primary ownership of your health records. As a result, the OCR is establishing a permanent audit program and working to identity potential audit targets.
One place OCR is, apparently, going to be looking, is at business associates or BAs. In HIPAA speak, BAs are those vendors that a doctor or hospital uses that have access to your information. Under the rules, your doctor needs to not only have a written agreement with that vendor, but doctors have to use reasonable diligence to make sure that the security of your information is protected.
Also, the rules are changing regarding what is a breach. It used to be that you only had to report a breach if there was significant risk of financial or reputational harm – as evaluated by the doctor or hospital. Needless to say, most lost data did not present significant risk. Now any breach has to be reported.
Unless the data is encrypted in a way that there is no reasonable way for the hacker to be able to read the data.
And, this includes mobile devices (PHONES!) that contain patient data, so just encrypt patient data wherever it lives.
A Massachusetts dermatology clinic discovered this the hard way when they lost a thumb drive. Their wallet is now $150,000 lighter.
Doctors that use computerized record keeping systems called EHRs now need to provide copies of those records within 30 days of a request, down from the old 90 window. That could challenge doctors and hospitals that don’t have a system in place to do that.
And, there are many other rules that both doctors and their service providers need to comply with.
Now that the OCR is finally going to have an active audit program, expect more violations. Its not that the violations weren’t happening before, it is just that no one was looking.
Those doctors and hospitals that do not have an active program for monitoring their HIPAA compliance may find themselves with a problem. HIPAA and its cousin HITECH have been around for years. One of the goals of HITECH was to put teeth in the enforcement of HIPAA. That goal may have just been accomplished.
If you are a doctor, hospital or service provider to one, don’t say you did not know.
Information for this post came from Family Practice News.