Strengthening Your HIPAA IT Audit & Compliance Department

Have you been concerned with meeting the demands of the Health Insurance Portability and Accountability Act? Whether you are a covered entity or business associate, it’s essential to strengthen your HIPAA compliance IT mechanisms now. Let’s look at why compliance is increasingly important and how to quickly “beef up” your efforts.

• The Debate over Healthcare Regulations
• Warnings from HHS OCR
• Misconceptions on HIPAA IT Requirements
• HIPAA Compliance IT Surveys & Sanctions
• Nutshell Business Associate HIPAA Audit Checklist
• Beef Up HIPAA IT with a Trusted Provider

The Debate over Healthcare Regulations

Healthcare companies and the companies that provide services for their protected health information should notice that we have entered a new, more aggressive world when it comes to the connection between HIPAA and technology.

While everyone wants their private, protected health information to be safe, the HHS rules are a hotly debated topic, and for a good reason:

• Side #1 – Threat to innovation – As indicated in Fortune, regulations tie the hands of the healthcare field, making it difficult for firms to take advantage of groundbreaking advances in technology.
• Side #2 – Ominous threat landscape – The massive, long-term hacks of Anthem and Community Health Systems have made the federal government consider compliance a top priority.

Innovation is certainly a legitimate concern: health researchers and data scientists could derive better diagnostics and treatments from taking full advantage of big data analytics and other technologies. However, security is fundamental, especially given Reuters’ revelation that health information is worth ten times what credit cards are on the black market.

Warnings from HHS OCR

Between June 2013 and June 2014, the Office for Civil Rights posted nine settlements totaling more than $10 million, one of which was of unprecedented size: $4.8 million. To highlight the fact that those fines were just the beginning, head OCR Chicago regional lawyer Jerome B. Meites told Law360 the upcoming activity by the regulatory agency would “pale in comparison to the next 12 months.” He added, “Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up.”

Fast-forward to June 2015, and we see the same scenario: HealthITSecurity reports that Health and Human Services is broadening its audit activities again. This time, the focus is business associates. Beginning in the summer or fall, the HIPAA audit process will start shifting into hyperdrive, with OCR director Jocelyn Samuels noting that both covered entities and business associates will now be under scrutiny to verify their HIPAA information technology (a change from previous audit efforts that focused exclusively on healthcare companies).

Misconception on HIPAA IT Requirements

You don’t have to be compliant with the healthcare laws if your company is a “mere conduit,” as with many telecoms and IT services. This exemption applies to situations where data is only being transmitted or temporarily stored, such as in a healthcare hosting scenario. Any cases that go beyond pure transmission are not considered conduits. Examples include ISPs and paging companies.

“The key difference between a conduit and a Business Associate is the transient versus persistent nature of the opportunity to view the PHI,” said HealthITSecurity. “To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored.  It is irrelevant whether the service provider actually views the PHI.”

HIPAA Compliance IT Surveys & Penalties

The OCR has mailed out initial questionnaires to be filled out by companies that could be audited, many of which are business associates. Based on the information provided by each organization, the Office for Civil Rights will decide whether to move forward with an audit. Some audits will occur directly at businesses, while others will be performed remotely.

HIPAA violations can lead to costly penalties, as discussed above. HHS can hit entities with fines in excess of $50,000 for any instance of noncompliance, even if the company didn’t mean to neglect the rule. In more extreme situations, when the agency determines that a violation was intentional and that the organization did not take steps to rectify it, settlements can be as much as $1.5 million for the year.

Nutshell Business Associate HIPAA Audit Checklist

The primary concern for business associates is the HIPAA Omnibus Rule. Here is an essential checklist of its expectations:

• Implement protections so that PHI is not accessed without authorization
• Notify covered entities when data is compromised
• Verify that any subcontractors follow the parameters of HIPAA
• Complete business associate agreements (BAA’s) with all relevant clients and subcontractors
• Record and retain documentation of all healthcare privacy and security efforts.

Beef Up HIPAA IT with a Trusted Provider

You are fully responsible for some aspects of HIPAA compliance, such as staff training and the development of in-house policies and procedures. However, it’s a good idea to simplify the IT hosting aspect by working with an experienced, healthcare-ready provider – especially when beefing up compliance must be fast and error-free.

“Atlantic.Net’s reputation for 100% up-time, their secure infrastructure, and expertise in Healthcare IT were key components in finalizing our partnership,” said Complete Healthcare Solutions VP of Product Development Joseph Nompleggi. “Our partner’s financial strength and proven track record are something we view with great confidence.”   Learn more about our HIPAA Compliant Hosting and experience our fast VPS Hosting.