HIPAA compliance has been on everyone's minds lately — the federal government included. President Obama even recommended an increase in the fiscal year 2017 budget in order to accommodate more oversight in this area.
Here are the details of his plan as well as ways to tighten your own HIPAA security and compliance right now.
More HIPAA oversight
In February, President Obama submitted his FY 2017 budget recommendations. He allotted $43 million to the Office for Civil Rights (OCR), resulting in a $4 million increase from the year prior.
According to the HHS FY 2017 Budget in Brief, the "increase will support OCR’s audit program which was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The audit program will offer a new tool to help ensure Health Insurance Portability and Accountability Act (HIPAA) compliance by covered entities and business associates, while also informing OCR on areas in which to direct its enforcement and technical assistance."
It comes as no surprise that business associate agreements will be monitored more closely given that the Phase 2 HIPAA audit guidelines announced more intense focus in this area as well. Since March 2016 alone, the OCR has levied two significant fines — $750,000 and $1.55 million — against entities because of their failure to execute proper business associate agreements. In order to carry out the Phase 2 audits, the budget also includes funding to hire an additional 18 full-time equivalent employees.
Moreover, the additional funds will "evaluate new areas where HIPAA does not currently apply." Given the uptick in cybersecurity attacks against healthcare organizations and the evolving nature of interconnected technologies, this is another caveat that deserves greater study.
Preparation and planning are key to avoiding unnecessary HIPAA breaches and the corresponding fines. Here are three best practices to implement right away in order to improve your organization's HIPAA compliance:
1. Third-party agreements. Ensure you have a signed business associate agreement on file for any vendor or contractor who will have access to your patients' PHI. Specifically, find out how the PHI will be protected and handled when the vendor relationship ends as well as how frequently the associate performs security risk analyses.
2. Encrypt mobile devices. Since 2010, nearly 70 percent of data breaches have been due to the theft or loss of devices. These devices are frequently mobile units such as laptops and portable hard drives. Encrypting all devices, including those that are mobile, can help to drastically lower your risk of non-compliance.
3. Perform an annual risk assessment. Meaningful Use guidelines mandated that all covered entities perform an annual risk assessment. However, as seen time and time again with the number of preventable breaches that occur, healthcare organizations have overlooked this critical step. Don't delay in performing and documenting a risk assessment for your entity.
How are you preparing for HIPAA audits? What preventative steps are you taking? Please join the conversation below.