NEW ORLEANS -- HIPAA audits are like the root canal procedure of health care. They may be painful and most providers would avoid them if possible, but they do serve a purpose. Representatives from the Department of Health and Human Services' Office for Civil Rights said at HIMSS 2013 that audits give providers and the enforcement agency a chance to see what's working and what's not when it comes to safeguarding protected health information.
SearchHealthIT's live HIMSS 2013 coverage
Read our full HIMSS coverage
HIMSS survey shows support for health IT
David Holtzman, senior health information technology and privacy specialist for the Office for Civil Rights' (OCR) health information privacy enforcement and audit program, said the agency has stepped up enforcement activity in the last few years through more frequent audits and settlements, but the goal isn't to increase the number of organizations fined. It's to identify existing privacy and security problems and take actions to remedy these issues.
This may not fit the image most providers have of the OCR, which is known mostly for investigating privacy and security complaints and levying monetary penalties against providers found to snub HIPAA compliance.
Civil monetary penalty is an action that is very heavy administratively, and at the end of the day, it is simply a fine. It does not create corrective action. But at this stage, there is certainly an expectation that every covered entity will have engaged in a risk analysis.
senior health information technology and privacy specialist, OCR
But Holtzman said OCR gives every entity a chance to demonstrate compliance before a settlement is reached or fines are levied. That being said, he reaffirmed that OCR is taking the "compliance through enforcement" approach, in which it seeks to encourage more covered entities to comply with the full letter of the HIPAA law by showing that there are consequences to noncompliance.
"Civil monetary penalty is an action that is very heavy administratively, and at the end of the day, it is simply a fine," Holtzman said. "It does not create corrective action. But at this stage, there is certainly an expectation that every covered entity will have engaged in a risk analysis" and other compliance activities.
Susan McAndrew, deputy director for health information privacy and security at the OCR, said it is particularly important for regulators to understand what works when it comes to protecting personal health information (PHI) as the health system continues its migration toward electronic health records (EHRs) and other IT tools. The number of outside organizations that touch PHI increased dramatically in recent years, as providers began partnering with vendors to store and analyze electronic data -- a trend that will only continue.
"This new electronic world was dependent on entities that were not covered entities," McAndrew said. "It was felt that to give customers assurance, business associates must now come under the umbrella."
When the HIPAA omnibus rule was published in December 2012, it held business associates to the same privacy and security standards as providers. This means that a hospital's business partners are subject to the same kinds of fines and penalties for HIPAA violations as covered entities are.
Some commentators have said they feel this is a major burden and they expect some vendors that function as business associates to have difficulty complying with the new responsibility.
McAndrew said the industry should not view privacy regulations as barriers to overcome or challenges to be solved. Instead, they should be seen as "guide posts." "The vision is that privacy and security itself is a plus for this electronic universe," she said. "They keep you from falling off the cliff."
Ultimately, providers need to implement strong security measures in order to maintain the trust of patients, McAndrew said. Otherwise, she said, EHR systems become very expensive pieces of unpopular hardware.