Fifty Ways to Lose Your Lover or PHI
There are millions of covered entities and business associate that are required to be HIPAA compliant. A signficant number of them ignore these requirements because they think that they will never be audited. What they fail to take into account is that being chosen by Health and Human Services (HHS) or their enforcement arm Office of Civil Rights (OCR) is not the only trigger for an audit.
If you are a business associate (BA) and have signed a BA agreement stating that you are HIPAA compliant, the covered entity or business associate who required the BA agreement can also follow up by asking for proof that you are living up to the agreement. This can be as simple as a questionnaire, or a request for copies of your policies or risk assessments or if they are especially concerned it can be either a desk audit or an on-site audit.
The 100% sure path to an audit is a breach.
Health and Human Services Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
Here are some examples of actual breaches:
Stolen backup tapes
Intact paper records in city dump
PHI left accessible on the internet
Burglary of office computers
Office staff posting PHI on Facebook
I always think of Paul Simon's song "Fifty Ways to Lose Your Lover", particularly the "slip out the back, Jack" verse. There are truely fifty ways to lose your PHI and trigger an audit.
Are you ready for that audit? Got that updated risk assessment, updated polices, and documented staff training? If so, good on ya, if not let's talk. Jack @compliancehelper.com