Small physician practice and HIPAA audit preparation

With the government conducting a new round of HIPAA privacy and security' audits in 2017 and 2018, small medical practices need to be prepared. The problem is that most are not. In an assessment of its first round (Phase 1) of audits, the U.S. Department of Health and Human Services' Office of Civil Rights (OCR), which is responsible for enforcing patient privacy rules, found that many healthcare entities, including smaller practices, are having difficulty' not only with implementing security' technology to protect patient data, but with implementing plans and selecting personnel to manage HIPAA compliance at their practice.

In fact, 66% of entities lack complete and accurate risk assessments in a review of Phase 1 audits, according to the OCRs HIPAA compliance audit pro­gram director. Research from SecurityMetrics, a data se­curity company in Orem, Utah, suggests that protecting digitized patient health informa­tion continues to be a low priority for small practices.

A poll of 150 healthcare professionals responsible for HIPAA compliance at orga­nizations with fewer than 500 employees found that:

51% don't test employees on HIPAA-related training;

50% of respondents don't know if their organizations use multi-factor authentication;

41% don't know how often their firewall rules are reviewed;

27% don't encrypt emails containing patient data; and

26% don't use mobile encryption.

There are a variety' of reasons why small practices find it difficult to make their sys­tems HIPAA-compliant. One is finding information on how to prepare. OCR and the Office of the National Coordinator for Health Information Technology' (ONC) have a HIPAA Security Risk Assessment tool available online to assist small and medium­ sized practices:

Many small practices also haven’t imple­mented measures to prepare for a potential HIPAA audit. In a recent study by cloud- based practice management software pro­vider NueMD, 30% of healthcare profession­al said they didn't have a compliance plan. Fifty-four percent said they did not have a security or privacy officer, and 60% were unaware of the planned increase in audits under OCR’s Phase 2 HIPAA Audit program, which began last year and is ongoing.

In light of this lack of preparation, small practices pre­paring for the new round of audits should use the federal government's HIPAA audit protocol, which provides specific guidance on what is required. It is available on the Health and Human Service department’s website.

Have questions? I’m here to help.