By Jack Anderson
September 23, 2013
Buried in an article i was reading was the interesting and challenging fact that October 1, 2013 is the beginning of the 2014 fiscal year for HHS and OCR which means that they will begin to set up their 2014 audit program for covered entities and business associates next week. This should cause a lot of fear for those who know that they are not compliant but of course denial is still strong for many.
What do we know from the first round of audits? Only 11% had nor findings, securtiy accounted for 60% of the findings, providers had a disproportinate number of findings and smaller organizations had the worst results. Now what is interesting is that these were all covered entities who have been required to be HIPAA compliant for years, yet the audits showed that the biggest problem was lack of understanding of the requirements.
This does not bode well for small to mediums size business associates (SMB). First they have given little but lip service to the standards in the past and felt that all they had to do was sign the BA agreement (BAA), file it and get on with business. Rarely did anyone question them even though the covered entity who shared their PHI with them was requred to get “satisfactory assurances” that they were compliant. Secondly, many of them who are sub-contractors of BAs may not even realize that they are now BAs also and must meet the same standards.
Our estimate is that 80% of the SMB market are non-compliant and that they number over one million. Remember this includes 1099 workers such as billers, coders, transcriptionists, insurance agents, and many, many more.
To this point HHS has done a poor job of educating this sector and sadly they will only find out when they or someone just like them gets hit with a big penalty and bad publicity that could cause their business to fail. You may think that couldn’t happen but it already did; Impairment Resouces LLC, declared bankruptcy after a data breach. They couldn’t pay the fines or the cost of informing all of the patients whose data was breached, and the cause was a simple burglary.
BAs need to get compliant, stay compliant, and be able to prove compliance because covered entities and OCR are going to come knocking on your door. Take this simple compliance checklist or email me at jack@compliancehelper.com to have me send you a more extensive survey.
- HIPAA Compliant Checklist
- Have you formally designated a person or position as your organization’s privacy and security officer?
2.Do you have documented privacy and information security policies and procedures?
3.Have they been reviewed and updated, where appropriate, in the last six months?
4.Have the privacy and information security policies and procedures been communicated to all personnel, and made available for them to review at any time?
5.Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers?
6.Have you done a formal information security risk assessment in the last 12 months?
- Do you regularly make backups of business information, and have documented disaster recovery and business continuity plans?
8.Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?
9.Do you require information, in all forms, to be disposed of using secure methods?
10.Do you have a documented breach response and notification plan, and a team to support the plan?
If you answered no to any of these questions you have gaps in your security fence.
If you answered no to more than three you don’t have a security fence.