OCR Announces HIPAA Audit Program

Posted on November 19, 2011 by Kali Systems

Don’t get caught unprepared!

On November 8th, the Office for Civil Rights (OCR) officially unveiled its long anticipated audit program. These audits, mandated by Section 13411 of the HITECH Act, are intended to “ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.”[1]

If your organization has not been keeping up with recent changes to HIPAA Privacy and Security Rules, you may be unaware of significant new requirements for covered entities and business associates, such as breach notification, and the drastic overhaul of the enforcement process including a tiered penalty plan.

Audit 101

Beginning November 2011, and concluding December 2012, OCR will complete a pilot audit program of 150 covered entities to “assess privacy and security compliance.” If selected for an audit (and OCR indicates they intend to audit a broad range of covered entities and business associates), the organization will be notified in writing and provided with an initial documentation request. All documentation must be submitted within 10 business days. The audit will include an onsite visit expected to take 3 to 10 business days. The auditor will generate a report, which the organization will review and will have 10 days to submit their written response, including actions they have taken to resolve any compliance issues. A final report will be submitted to OCR, which will develop recommendations and evaluate the need for corrective actions. Note: Compliance audits may also occur as a result of a Privacy or Security Rule complaint.

How to be prepared

  1. Your compliance officer should review your HIPAA compliance plan. Have you implemented the new requirements, such as Breach Notification, enacted by the HITECH Act?
  2. Review and update policies and procedures. These documents are required and are a primary method to demonstrate compliance with the Rules.
  3. Review and/or complete a Risk Assessment as required. This should include a technical and nontechnical review of the information system. Failure to complete the required analysis may be considered willful neglect under the new tiered penalty plan.
  4. Review or develop a process to identify, document, mitigate and report privacy and security incidents including the required breach notifications.
  5. Review and update Business Associate contracts. Remember that Business Associates are now required to comply with portions of the Privacy and Security Rules.
Posted in HIPAA and HITECH Compliance | Leave a comment

Employee Internet Usage Puts Your Business at Risk

Posted on October 4, 2011 by Kali Systems

Every time employees use the Internet, they put the security of your network and sensitive business data at risk.

Employees are using the Internet inappropriately
Employees are shopping, sharing content peer-to-peer, and visiting social networking, dating and adult sites. This use puts your company’s productivity and reputation in jeopardy and increases the risk of Internet-based threats to your data network. Adult sites are notorious for hosting malware. The taboo nature of the sites is such that users remain silent about visiting them, even if they suspect their system has been infected. Meanwhile, online shopping sites are often the source of spyware, or feature links to third-party sites that may not be trustworthy.

Hackers have learned to use legitimate sites as bait for “social engineering” tactics, tricking users into clicking an embedded link or an email attachment. This happened with Facebook in December 2008.

Continue reading

Posted in Health Care Technology | Leave a comment

Why you need a gateway security solution

Posted on October 4, 2011 by Kali Systems

Business today is all about connectivity. Available data suggests email and web access represent 90 percent of business-critical applications used by small- and mid-sized companies. Yet the gains in efficiency and productivity that companies have realized by incorporating the Internet into their business models have also benefited malware authors. Threats that once took months to infect a few thousand computers can now reach hundreds of thousands in mere minutes.

Gartner suggests that between 80 and 95 percent of all email entering a company’s network is spam ….two to six percent carries a threat such as viruses, Trojans and rootkits.

Continue reading

Posted in Health Care Technology | Leave a comment

Time To Take Notice

Posted on July 8, 2011 by Kali Systems

This week’s news highlights the growing need to take proactive steps to protect sensitive data. It’s time to take notice, before your organization has to give notice of a data breach.

The Office of Civil Rights (OCR), responsible for enforcing HIPAA regulation, has announced the hiring of KPMG of McLean, VA to implement an audit program of covered entities and business associate compliance with the HIPAA privacy and security standards. This action marks the first time proactive “periodic audits”, as required by the HITECH Act, will be implemented. Until now, investigations have been in response to complaints.[1] Continue reading

Posted in HIPAA and HITECH Compliance | Leave a comment

Office for Civil Rights Gets Tough on HIPAA Violations

Posted on February 25, 2011 by Kali Systems

For the second time this week, the Department of Health and Human Services (HHS) has announced stiff penalties for HIPAA violations. This may signal the start of stronger HIPAA enforcement action by the Office for Civil Rights (OCR) and a sign of things to come when HHS rolls out its HIPAA compliance audit program as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

On February 22nd, HHS announced a landmark civil monetary penalty (CMP) against Cignet Health of Prince George’s County, Md., for violations of the Privacy Rule. The $4.3 million penalty was imposed for failing to provide 41 patients with copies of their records in the time frame required by HIPAA, and for failing to cooperate with the OCR investigation. It was the first time a penalty was assessed for Privacy Rule violations, and the first time the increased penalty amounts authorized by Section 13410(d) of the HITECH Act were applied. Continue reading

Posted in HIPAA and HITECH Compliance | Leave a comment

Willfull Neglect – $4.3 Mil. Penalty Results

Posted on February 22, 2011 by Kali Systems

As I reviewed the provisions of HIPAA Security and Privacy provisions with a lead surgeon who heads a small but bustling medical practice, I could tell he would rather be in a treatment room with a patient than sitting in the lunch room with me discussing one of a legion of requirements and regulations. “Do other doctors really do this?” he asked, his head buried in his hands.

Protecting sensitive data is a hot button. Criminal data theft and fraud have grown alongside the explosion of day-to-day dependence on the internet, wireless and mobile technology. The Identity Theft Resource Center reported 662 data breaches in 2010, affecting 16,167,542 records. 76% of these records included Social Security numbers.

Continue reading

Posted in HIPAA and HITECH Compliance | Leave a comment

Is the Xoom the new physician’s tablet?

Posted on January 30, 2011 by Kali Systems

Portability and mobility, even with some sacrifice of function, seems to be increasingly important in the doctor’s office. We’ve seen more iPads showing up with the expectation (as lofty and unrealistic as it may be) that it will be able to perform the same functions as the predecessor tablet PC. There are apps of course, and RDP for remote access but coming quickly on the heels of the iPad since its announcement at CES in Vegas is the Motorola Xoom Tablet.

Motorola Xoom shown with Dock and Keyboard (Courtesy Motorola Inc.)

Continue reading

Posted in Health Care Technology | Leave a comment

Healthcare and Email – Dangerous Assumptions

Posted on January 24, 2011 by Kali Systems

Email has truly become our central production form of communication, both internally and externally. We rely on the ease and rapidity of messaging, and our ability to readily attach documents, pictures or other relevant information. And we are increasingly going mobile (read that as “real time”) with our email connectivity. A recent comScore study revealed that Americans are increasingly using their mobile phones and tablets to access email on the run.

As a result, the information we find useful to have in email is increasing. And services like GMail have made it easy to integrated email, calendaring and contacts all available from web browsers, mobile devices and our home computers – all for a very reasonable price indeed! But hang on here… when we use our “personal” email in such a fashion, what have we really given to these third party providers? Are we really secure? Are we even compliant? Continue reading

Posted in Health Care Technology, HIPAA and HITECH Compliance | Leave a comment

Medical Technology and Compliance

Posted on January 17, 2011 by Kali Systems

What a subject! And what a dynamic and challenging industry for both health care providers and the various vendors they use to keep a practice running. We are going to try to get the latest and most relevant issues which are constantly arising and bring them here for awareness and discussion. Comments will always be welcome, but highly moderated. So play nice!

Posted in Health Care Technology, HIPAA and HITECH Compliance | Leave a comment