Dive Brief:
- The Department of Health and Human Services announced good-news/bad-news changes to its HIPAA audit program this week. Regulators are planning to delay the second phase of their audit program until the completion of technology that will allow organizations to submit information via the web. Officials had planned to begin audits in the fall, and have not provided information on when they will now begin.
- This gives providers a break for the moment, but the office also announced an increase in the number of on-site audits and a decrease in remote audits. The second phase was supposed to entail 400 remote audits, but that will be halved. The on-site audits are due to budget increases in the department.
- Pre-screening surveys will be sent to approximately 1,200 potential entities as well as their business associates, who would also be audited. The organizations will be selected randomly from a national index. Desk audits will be less comprehensive than on-site audits, which will not only verify that appropriate policies are in place but whether or not they are followed. Organizations can be fined up to $1.5 million per violation, according to the HIPAA Omnibus Rule.
Dive Insight:
The increasing number of breaches in healthcare has shined a brighter light on the need for increased security by providers. It looks as though providers will need to do than give lip service when it comes to HIPAA compliance very soon.
An April article in Fierce Health IT reported that audits will focus on areas where problems were found in the pilot phase, including risk analysis and breach notification. Targeted issues will change annually and were reported to include device and storage security controls, transmission security and HIPAA safeguards in 2015. In 2016, the focus will be on physical access, encryption and decryption.
Want to read more? You may enjoy this story about how much IT breaches cost the industry annually.