BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
LAS VEGAS -- The health IT world has expected HIPAA compliance audits of healthcare organizations and their business associates for more than a year, and they still haven't happened.
But one health data cybersecurity expert interviewed at HIMSS 2016 told SearchHealthIT he expects the long awaited audits to launch in 2016 despite the change of administrations at the end of the year.
At the midpoint of the weeklong show, HIMSS 2016 had drawn more than 40,000 attendees to what is traditionally the biggest health IT conference and exhibition.
In this podcast interview, Michael "Mac" McMillan, co-founder and CEO of CynergisTek, Inc., a health data security and privacy consulting firm, says political factors have little to do with the delayed HIPAA compliance audits.
Rather, he says, it is likely the work style of Deven McGraw, deputy director for health information privacy and head of the audit program for the Department of Health and Human Services' Office for Civil Rights' (OCR). He says McGraw wants to ensure -- after a round of pilot audits in 2014 -- that OCR is fully prepared to carry out thorough audits.
Even so, McMillan says he is surprised that no one in Congress has called for an inquiry into why the HIPAA compliance audits, which were expected last year, have still not begun.
McMillan also says CynergisTek has been working with a new data security threat system from Symantec Corporation that allows health information managers and security officers to practice in simulated real time how they'd respond to cyberattacks on their health data networks.
McMillan also touches on the growing use of cloud technology in most sectors of health IT, saying cloud issues are almost talked about too much.
Not only can cloud technology be as secure as enterprise-based systems, but the cloud is also inevitable because of its financial and performance advantages, McMillan, a former security director for two defense agencies, says.
A data center CIO talks cloud security
What audits of HIPAA-covered entities will look like
How a New Jersey health system does cybersecurity