MANDATORY MEANS DO IT
Recent headlines about delays from OCR for HIPAA audits were met with surprise by many. Why should it be a surprise? How many programs or revised programs have been implemented on the first promised date? More to the point, why should it matter to covered entities that are mandated to be compliant anyway?
Historically, HIPAA has always lacked in oversight. It was enacted and mandated with no funding, protocol or plans for audits, only investigation of complaints or blatant findings of potential fraud. The private joke in healthcare organizations was that there was no “HIPAA police force” and the majority of covered entities dragged their feet on implementing their HIPAA programs, doing little else than initial training to staff about the Who, What and Where but not much about the Why. Most HIPAA policies adopted were merely the templates issued at training sessions that popped up like produce stands, with some facilities not even managing to replace the <INSERT COMPANY NAME> with their corporate name.
When the Audit Program was implemented, HHS listed Audit details and protocols on their website and later added the notation, “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule but a version reflecting the modifications will be available in the future.” That was a mere two years ago – just sayin’.
Enough of that perspective. Here is the other side, the more pertinent in fact. There is a Federal regulation in effect, with updates/modifications, with which Covered Entities and now Business Associates are mandated (i.e. – ordered, directed, commanded) to comply. Therefore, it should not make one whit of difference whether there are audits in place or not. Right?
Compliance to the Privacy and Security Rules is the right thing to do. You will protect your company from fines and other ramifications of complaints and breaches. You will safeguard the Personal Health Information (PHI) of your customers and thus maintain the integrity of your organization’s reputation.
There have been some major data breaches lately, clearly due some factor or factors of noncompliance. Hackers are extremely proficient and patient when searching for the gaps in security. To maintain the mandated regulations for compliance will, at the very least, make it far less likely they will find their way into your network. But, adopt a blasé attitude because there are no impending audits and you are only working on borrowed time. Healthcare is an identified target of hackers, partly because revenue and funding aid in creating short staffing, shortcuts and budget decreases, with IT Departments a prime target. Frequently the in-house IT staff are learning while doing – a setup for failure.
Where does your network stand now regarding compliance? Best practice suggests the easy way to determine where you are as well as what you need to do to become compliant is a third party Security Risk Assessment. This will also allow you to develop your prioritized action plan, and you will likely find numerous items that can be done as a budget neutral fix (e.g. – policy changes, setting standards, etc.). The critical phrase here is third party. (If you are scratching your head, thinking third party will certainly be more costly than having in-house staff complete an assessment, you are right. Watch for the next article for a bit more clarity.)
We all intend to maintain compliance and do our jobs the best we can. That will be little comfort to clients whose information has been breached. Your To Do list should include a third party security assessment for a baseline and then routinely (alternate years or at least every three years).
“Most of us have good intentions but intentions are meaningless unless they are followed up with actions,” said Daniel Decker, author and blogger on Leadership, Influence and Possibility. Protect the data your clients have entrusted to you, regardless of those HIPAA audits that will begin … sometime.