OCR Audits Find Widespread Lack Of Understanding Of New HIPAA Data And Security Rules

Posted on April 25, 2013 by Frank J. Rosello

Simply knowing all the rules could prevent many of the problems plaguing data security and privacy among healthcare providers and insurers.

Nearly one-third of the 980 problems that HHS’ Office of Civil Rights uncovered during privacy and data-security audits of 115 healthcare providers and insurers happened because the organizations were not aware of all of the requirements facing them, according to root-cause analyses performed by HHS contractor KPMG.

“You probably don’t know what you don’t know,” OCR Senior Adviser Linda Sanches told a crowd of healthcare lawyers and compliance officials Tuesday during the Health Care Compliance Association’s annual Compliance Institute, held this year in National Harbor, Md.

Sanches said the findings show that many healthcare companies could benefit from re-reading the rules and regulations in the Health Information Technology for Economic and Clinical Health, or HITECH, Act that widen HIPAA privacy and data-security protections on patients’ protected health information.

The HITECH Act required HHS to audit how well the 3 million or so “covered entities” in the U.S. follow the rules on safeguarding patient data and reporting breaches that do occur. The office selected 61 healthcare providers, 47 health plans and seven healthcare data “clearinghouses” for inspection, and concluded those reviews in December.

On Tuesday, Sanches announced in her presentation that 13 entities, including only two healthcare providers, passed the “performance audits” without any negative findings.

Click here to view OCR presentation (PDF)

Of the organizations with documented problems, data-security issues accounted for 60% of all the findings and observations, while 30% pertained to data privacy and 10% related to data-breach notifications.

“Security was overwhelmingly an area of concern,” Sanches said, noting that 47 of the providers had not done a complete and accurate risk assessment for potential data problems.

Not only did many providers report being unaware of all the data security and privacy rules they’re supposed to follow, but many seemed not to have policies in place to comply with the rules. She said it seemed clear that some of the policies were written by consultants after the organizations were targeted for audits. “There were intentional misrepresentations. We were not happy about that,” she said.

Sanches said that entities with documented problems were not punished, because the audits were done by contractor KPMG, but that the negative findings have since been forwarded to investigators in HHS’ civil rights office for future consideration.

The HITECH Act requires the office to audit organizations that directly handle protected patient health information—which are known as “covered entities”—as well as organizations’ subcontractors and business associates. Sanches said rules on auditing “business associates” are still under development and targets of those reviews will be determined after September.

Article written by Joe Carlson

• Recent News

  • Texas Launches Certification Program To Bolster HIPAA Compliance
  • Internet Explorer Vulnerability: Steps To Take
  • Five Misconceptions About Cloud Computing
  • ONC Chief’s Perspectives On Patient Privacy and Security
  • ONC Chief DeSalvo Charts New Course

• Press Release Archives

• EI Connections Newsletter Archive

  
  

  Sign up for the
  EI Connections Newsletter

  * Email

  
  

• Categories

  • ACA
  • ACO Rule
  • ACOs
  • Cloud Computing
  • CMS
  • CMS eRx Rules
  • CMS Final Rule
  • CMS Proposed Rule
  • e-Health
  • EHR Adoption
  • EHR Data Sharing
  • EHR Implementation
  • EHR Incentives
  • EHR Information Security
  • EHR Meaningful Use
  • Electronic Health Records
  • Electronic Medical Records
  • EMR
  • Environmental Intelligence
  • Health Information Exchange
  • Health IT
  • Health IT Best Practices
  • Health IT Data Security
  • Health It Interoperability
  • Health IT Policy
  • Health IT Services
  • Healthcare
  • Healthcare Information Security
  • Healthcare Leasing
  • HHS
  • HHS Final Rule
  • HHS Initiatives
  • HIE
  • HIPAA 5010
  • HIPAA Complicance
  • HIPAA Omnibus Rule
  • HIPAA Privacy and Security Rule
  • ICD-10
  • Meaningful Use
  • medical practice best practices
  • mHealth
  • ONC
  • Patient Privacy
  • Personal Health Record
  • PHI Data Security
  • Press Releases
  • Radiology Systems
  • Telehealth
  • Telemedicine

• Tag Cloud

  CMS CMS EHR Incentives CMS Policy EHR EHR Adoption EHR Best Practices EHR Cloud Hosting EHR Consulting EHR Hosting EHR Implementation EHR Incentives EHR Study EHR Technology Enhancements EI Connections Newsletter Electronic Health Records Electronic Medical Records EMR Environmental Intelligence Healthcare Health Information Exchange Health IT Health IT Best Practices Health IT Information Security Health IT Policy Health IT Services Health IT Standards Health IT Tips HHS HIE HIE Standards HIPAA Compliance HIPAA Privacy and Security Rules HIT ICD-10 Meaningful Use medical practice best practices OCR ONC Patient Experience PHI PHI Data Breaches PHI Data Security PHI Security Stage 2 Meaningful Use Rule Stage 3 Meaningful Use