BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
HIPAA audits of healthcare providers and their business associates are coming soon, warns David Holtzman, a lawyer and vice president for compliance for health data privacy and security consulting firm CynergisTek, Inc.
Holtzman knows of what he speaks when it comes to HIPAA audits, because he served from 2005 to 2013 as the U.S. Department of Health and Human Services (HHS) Office for Civil Rights' (OCR) senior adviser for health information privacy.
Now, after months of delays, Holtzman says he expects OCR to launch at least "desk" audits conducted mainly remotely by interview sometime this year, with more comprehensive on-site audits in 2016 and beyond.
Meanwhile, Holtzman warns in this podcast -- the first of a two-part series -- that healthcare providers large and small should fortify their HIPAA programs rather than risk fines, and even worse, health data breaches that damage customers and harm companies' reputations.
At a minimum, it is imperative that providers maintain risk management plans and organizational policies governing which employees get access to protected health information. Also critical, Holtzman says, are policies and processes for evaluating the potential for breaches and notifying OCR when they occur.
Healthcare systems, hospitals and physicians that have participated in HHS' meaningful use program will be better prepared, he notes.
That is because many of the measures to which providers have to attest are built into HIPAA compliance, and are, indeed, based on the HIPAA privacy and security rules.
One such feature actually has to do with patients' ability to get their hands on their own health data -- a HIPAA requirement -- via secure electronic portals.
Holtzman says he finds it troubling that there has been a nearly 25% meaningful use audit failure rate, a trend that does not portend well for HIPAA audits.
Former ONC officer shares HIPAA compliance, audit advice
HHS risk assessment tool useful for HIPAA audits?
OCR Director Jocelyn Samuels doesn't nail down HIPAA audits timeframe