Fulfill HIPAA Security Rule Requirements and Improve IT Infrastructure Performance While the HIPAA Privacy Rule covers protected health information (PHI) in all forms, the HIPAA Security Rule specifically applies only to PHI that is maintained, transformed, or transmitted in electronic form (e-PHI). The Security Rule requires covered entities to meet specific objectives and presents major challenges for virtually every covered entity in the HIPAA environment, no matter how big or small. Covered entities include health plans, health care clearinghouses, and healthcare providers. In addition, business partners and associates who interact with covered entities are forced to deal with the same security issues as covered entities. IT professionals, like you, know the amount of work involved in supporting HIPAA compliance. The members of your IT team have enough on their plates without assuming the role of HIPAA police, but the team can also appreciate that adding technologies for HIPAA Security Rule compliance is an opportunity to make improvements in overall IT security that increases the organization’s bottom line. Read this white paper, including results from the HIMSS 2010 Security Survey, to learn how to fulfill HIPAA Security Rule requirements and improve overall control and performance of your IT infrastructure.

More healthcare privacy audits in the wings

WASHINGTON | June 29, 2012

Federal enforcers are preparing to audit healthcare organizations for how well they establish and follow privacy and security practices and data breach notification standards.

The Office of Civil Rights published the procedures to be assessed when examiners conduct performance audits to assure that health plans and payers and their business associates safeguard health information. The audits are called for under the HITECH Act.

[See also: Newsmaker Interview: Mac McMillan]

OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) and oversees health information privacy in the Department of Health and Human Services.

The audit protocol released June 26 details activities, including conducting a risk assessment, acquiring IT systems and services if needed to protect health information and developing and deploying information system review processes, such as audit logs and security incident tracking reports.

Big Data and Healthcare Analytics Forum June 4-5 Washington

The audit protocol covers how effectively organizations establish the policies and requirements for the HIPAA Privacy Rule for notice of privacy practices, rights to request privacy protection for protected health information, access by individuals to the information, administrative requirements, uses and disclosures of health information, accounting of disclosures and changes to health information.

The audit protocol also covers HIPAA Security Rule requirements for administrative, physical and technical safeguards for health information, and breach notification procedures.

[See also: 3 hot buttons that can trigger an OCR audit]

OCR has piloted a program to audit 115 plans and payers and some business associates to get a field assessment of how organizations are complying with privacy and security protections. Audits began in November 2011 with the first group of 20 organizations and will conclude in December.

Audits present an opportunity to examine methods for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s complaint investigations and compliance reviews. OCR will share best practices it learns through the audits and provide guidance aimed at compliance challenges.

During the pilot audits to date among large and small hospitals and integrated systems and small providers and group health plans, OCR has found privacy challenges throughout all the entities and all sizes but many more vulnerabilities in the smaller organizations, according to Linda Sanches, OCR senior adviser on health information privacy, and lead on HIPAA compliance audits.

Previous
1