The second phase of audits involving covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to take place within the upcoming months. Covered entities should use this time to perform an in-depth risk assessment, because experts say this year's audits will be tougher and more comprehensive than ever.
So, why are HIPAA audits going to be tougher this year? Earlier this month, health insurer Anthem, Inc. announced a massive security breach resulting in the disclosure of 80 million records containing Protected Health Information (PHI). An investigation had found that Anthem did not encrypt its data, increasing the risk of a malicious attack. While encryption isn't directly required under HIPAA, covered entities must implement Physical, Technical and Administrative safeguards to protect their patients' information – and encryption is arguably one of the most effective safeguards.
This isn't the first time Anthem, Inc. has come under fire. Just two years ago, the health insurer was fined a whopping 41.7 million by the Department of Health and Human Services (HHS) for unauthorized disclosure of PHI. Furthermore, both Columbia University and New York's Presbyterian Hospital received a $4.8 million fine in connection with PHI disclosure.
These are a just examples of major companies being hit with HIPAA fines. As the need for greater cybersecurity and privacy protection becomes apparent, the HHS will continue to crack down on covered entities that violate the Health Insurance Portability and Accountability Act of 1996.
Another reason why audits are expected to be stronger this year is because of the Omnibus Rule. In 2013, HHS amended HIPAA to include regulations for business associated. In other words, third-party companies and organizations that create, receive and/or transmit PHI must follow the same HIPAA rules as covered entities. If a chiropractor outsources cybersecurity to a cybersecurity firm, for instance, the firm is responsible for following the same privacy and reporting standards.
Whether your practice is small, large or anywhere in between, you should prepare yourself for an audit, because as the saying goes “it's better to be safe than sorry.” Thankfully, you don't have to spend countless hours trying to determine whether or not you're at risk for a violation. By performing a routine risk assessment at least once every 12 months, you'll have a better understanding of what to expect should an audit occur.