Strategic insight for health IT leaders

Jumbo2010 - Fotolia

To prep for OCR HIPAA audits, try tech risk assessment

Weighing technology risks can help healthcare organizations stay ahead of 2016 HIPAA audits by the Department of Health and Human Services' Office for Civil Rights.

Two reactions are likely regarding upcoming HIPAA desk reviews by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR). Some hospital CIOs will wake up with night sweats, while others will face the OCR HIPAA audits with confidence.

One of the dividing lines between those camps will be whether a healthcare organization conducted a technology risk assessment related to safeguarding protected health information.

"Everything boils down to understanding the risks and how you manage them," said Raj Mehta, a partner at Deloitte's Cyber Risk Services.

Raj MehtaRaj Mehta

Getting ready for OCR HIPAA audits will present significant budget implications: 67% of healthcare organizations plan to spend money on HIPAA audit prep technology and services this year, according to a survey conducted by TechTarget, the publisher of SearchHealthIT, in conjunction with the College of Healthcare Information Management Executives.

OCR HIPAA audits echo the past

Mehta's words sound familiar: Hospitals have been tackling risk for years, and the heat went up following the Sept. 11 terrorist attacks and the need for hospitals to rate the likelihood of a community emergency response.

What is the threat to hospital business operations if a cyberattack happens?

Fast forward to 2016, and anyone following the news can see that new threats are occurring, this time via the Internet. Hospitals are often the victims of these cyberattacks, creating a backdrop to fuel the latest phase of OCR HIPAA audits.

HIPAA risk assessments involve many aspects -- compliance steps and staff behaviors, for example -- but from a health IT perspective, hospitals should know what's going on in their EHR and systems environments, Mehta said.

Measure the prospect of cyberattacks

The OCR is conducting the audits to determine compliance with HIPAA privacy, security and breach notification rules. After contacting potential audit subjects by email or U.S. postal mail earlier this year, the OCR next will send HIPAA surveys to a sampling of healthcare organizations and business associates.

In general, a good way to start risk assessments is for healthcare executives to go back to their old emergency and security management playbooks and ask themselves these questions:

  • What kinds of cyberattacks are possible?
  • What is the likelihood any given breach could occur?
  • What is the threat to hospital business operations if an attack happens?

The last bullet may be in the crosshairs of auditors, Mehta said. Often, IT people will think that a law states "XYZ," but fewer people take the next step to determine how a violation or breach of XYZ will affect hospital business goals, he added.

That aspect of risk assessment may be tough for a hospital techie to contemplate, he added, because the notion requires someone to understand not just technology, but also business operations, assets and patient care.

OCR publishes audit rundown

To help hospitals and their business partners better prepare, the OCR released a HIPAA audit protocol, which is a fancy term for a detailed list that gives hints on how to best comply with the regulations and what areas auditors may ask about.

Risk reviews serve as a good way to embrace the OCR HIPAA audits protocol, according to an April 2016 article in the National Law Review.

"Covered entities and business associates should conduct a risk assessment using the new audit protocol to identify compliance issues and gaps in documentation," wrote the article's authors, healthcare lawyers M. Leeann Habte and Claire Marblestone, both at international firm Foley & Lardner LLP.

Mehta agreed that including business associates in risk assessments is a good move. For example, hospitals should look at companies that provide systems to host EHRs, medical transcription work and other niche services. Having a review of those aspects on hand will keep auditors happy, he said.

Auditors won't "get into specific technology or go into a network and look for stuff," he added.

Article 1 of 5

Next Steps

HIPAA audits won't be pleasant

HIPAA-covered business associates must prepare for audits

Ask the expert: Security gap analysis for HIPAA

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)

Get More Pulse

Access to all of our back issues View All