Office Of Civil Rights At HHS Starting Up Audits Again

The Office Of Civil Rights (OCR) has been pretty quiet these last couple of years regarding HIPAA audits, but that may be about to change.

OCR’s staff is small, so they have hired a contractor, FCI,  according to the Federal Register. In an interview, deputy director Deven McGraw says that they will be starting up random audits again early next year.

FCI’s contract for a little under a million dollars is very small by federal standards.  This means that they will be doing narrowly focused remote audits.

Recently, OCR fined a small Oncology clinic $750,000 for a laptop and server that were stolen but not encrypted.

Deven said that anything that is not nailed to the floor (her words) should be encrypted – laptops, storage devices, servers and desktops, for example.

She said that even though encryption is “addressable”, that does not mean that it is optional, even for the smallest health care providers and business associates.  We EXPECT you to address encryption of data at rest and if you don’t encrypt, you must implement an alternative option in it’s place as well as documenting the reasoning.

Illana Peters, senior advisor for compliance and enforcement at OCR said that there really aren’t any other great options besides encryption.

They also said that lost devices, even encrypted ones, that have to be reported are indicators of other problems at the organization.

Deven also said that it all starts with a HIPAA risk analysis.  I suspect that reviewing your risk analysis document is something that could easily be done remotely and lead to more questions if you do not have one or the one that you do have indicates more problems.  The message, regarding risk analysis is to stop procrastinating.

While it remains to be seen what OCR will do starting in 2016, this might be a good time for covered entities to make sure that their HIPAA house is in order as well as the house’s of their Business Associates, since CEs are now liable for the errors of their BAs.

Small providers – ones for whom a $750,000 fine for having two devices stolen out of an employees car would be devastating – should probably start looking now to see if they have their HIPAA security rule act in order.

Information for this post came from two articles at Data Breach Today, here and here.

Leave a Reply

Your email address will not be published.