HIPAA New Year: Audits Set to Increase in 2014

Written by Michael Brown 1
December 8, 2013

Good news and bad news for your clients that have to be complaint with HIPAA. The good news is that beginning in 2014 audits will be narrower in scope and generally less intrusive and time-consuming. The bad news? There’s going to be a lot more of them.

At least that’s according to Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, who said (i.e. warned) back in September that his department is planning to ramp up the number of audits, with a focus on “vulnerabilities that might change year to year.”

Here were some details of the announcement courtesy of govinfosecurity:

Enforcement actions to date have focused on cases involving major security failures, where a breach incident led to investigations that revealed larger systemic issues, Rodriguez said. Other enforcement cases have included inappropriate disclosure of data and the denial of access to patient records to patients.

Additionally, Rodriguez said he expects that OCR "will leverage more civil penalties." And he noted that his office has approval to bank penalties it collects to fund enforcement actions across fiscal years. Being able to bank penalties will enable OCR "to maximize funding our auditing and breach analysis" activities, he added.

This should be enough to convince your clients that it’s time to stop playing games with compliance matters, especially with regards to the way they store, send and share files. In other words, they need a file-sharing solution that is HIPAA compliant. Perhaps more important, they need to be able to prove they are compliant. So to help you prepared for what seems like the inevitable HIPAA audit, here are a few questions for you and your clients to consider:

“How easily can we prove our compliance?” Many cloud-based file sharing solutions were built with auditing and reporting in mind, but most were not, especially those originally designed for personal use. So while some will be able to quickly prove their compliance (and take advantage of those “narrower” audits) many will struggle with this aspect. Much of it boils down to the solution’s administrative controls. Without a comprehensive overview of the system – one that addresses the who, what, where, why and how of sensitive data – many organizations will find it exceedingly difficult to prove their compliance (if in fact they are).
“How fast can we prove our compliance?” If your clients, for instance, will need to manually look through log ﬁles to determine if transfers went through securely, they could be looking at a process that will takes weeks (maybe longer). Speed will be of great importance for companies and organizations that want to get the audits completed in as little time as possible. The more readily available the information, they better off they will be when facing an audit.
“How expensive will it be to prove our compliance?” If your clients think they’ll need to hire additional staff to compile and review the data, they are likely to incur a lot of unnecessary costs as a result of an audit (not to mention the fines that come with being found in violation). A small investment in a business-grade file sharing solution now will go a long way towards saving costs later.

No organization wants to be audited, but it’s looking like more and more of an inevitability in 2014. Better to be safe than sorry.