Too many healthcare organizations are receiving failing grades for HIPAA compliance, and analysis of OCR's first initial audits reveals.
The biggest concern for Linda Sanches, OCR senior advisor and health information privacy lead for the audit program, was that some organizations have done little, if anything, to comply with HIPAA regulations.
"I was surprised to discover some entities have not put much effort into meeting their compliance responsibilities. Some had made no efforts to be in compliance," says Sanches, who discussed the results of those initial audits.
At the other end of the spectrum, some organizations are doing well with respect to compliance. Michael D. Ebert, national HIPAA services leader at KPMG, LLP, the company hired by OCR to conduct the audits, was surprised by how well at least one covered entity (CE) performed in the audits.
OCR plans to conduct many more audits by the end of December. The agency will review the findings to try to identify trends. "Our goal is to survey a wide range of entities," Sanches says. And Sanches and Ebert say it is likely compliance audits will continue beyond 2012. "It is our understanding the program will continue," says Sanches.
Healthcare organizations have a common question: what is necessary for HIPAA compliance?
Sanches suggests the following strategies as next steps for providers:
- Conduct a robust review and assessment. "Do a risk analysis. Look at what you are doing," she says. If you have made major changes, update your policies and procedures to reflect your current operations.
- Determine the lines of business affected by HIPAA. Many hybrid organizations exist, she says. Some business lines are covered by HIPAA and some are not.
- Map the flow of PHI movement within your organization, as well as how it flows to and from third parties.
- Train your employees according to your own established office policies and procedures.