Wednesday, June 17, 2015

Are You Confident About Passing a HIPAA Audit?

Survey Reveals Over-confidence in HIPAA Compliance

With regulators gearing up to begin the next phase of HIPAA compliance audits, many covered entities appear to be over-confident about passing that scrutiny, according to the results of Information Security Media Group’s latest Healthcare Information Security Today survey.

Nearly 80 percent of healthcare organizations that participated in the 2015 survey said they were confident or somewhat confident that they’d “pass” a HIPAA compliance audit by the Department of Health and Human Service’s Office for Civil Rights with only minimal non-compliance issues.

But despite the strong confidence levels of most respondents when it comes to their organizations’ compliance efforts, a closer look at other survey results shows that many covered entities are still falling short in applying key technologies and practices to protect patient data against many current and emerging cyber threats, including measures called for by the HIPAA Security Rule.

For instance, the survey found:
     Only 75 percent of respondents say their organizations conducted a security risk assessment last year. The failure to conduct a thorough and timely risk assessment is the most common non-compliance issue that has been cited by OCR during HIPAA breach investigations and also in the agency’s pilot HIPAA compliance audit program.
     Despite lost or stolen unencrypted devices being the biggest cause of major health data breaches reported to OCR since 2009, only 60 percent of surveyed organizations are requiring encryption on portable devices and media.
     Although OCR looks for documented evidence of HIPAA compliance efforts, less than 60 percent of surveyed organizations have a documented security strategy.  Most of the other organizations say they are working on one.

Although confidence levels about HIPAA compliance appear to be high among the survey respondents, they, nevertheless, said their top information security priority for 2015 was improving regulatory compliance. That was followed by improving security awareness and training and preventing and detecting breaches. Those were also the top priorities in the two previous Healthcare Information Security Today surveys.
The online 2015 Healthcare Information Security Today survey was conducted in December 2014 and January 2015. Respondents included about 200 CISOs, CIOs, directors of IT and other senior leaders at hospitals, integrated delivery systems, physician group practices, insurers and other healthcare organizations.

(ISMG website)