Gearing Up for HIPAA Compliance Audits in IT, Part 1
When the Federal Health Insurance Portability and Accountability Act – affectionately known as HIPAA – was passed in 1996, no one was seriously thinking about how things like the Internet, electronic health records (EHRs), cloud computing and smartphones would affect personal health information (PHI). Fast forward 13 years to 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act. Suddenly, there was an intersection between EHR adoption, government incentives and the safety and security of electronic PHI. Thanks to HIPAA, HITECH and other factors too numerous to list here, the delivery of health care services in the United States is changing rapidly and forever.
This year, the U.S. Department of Health & Human Services (HHS), via its Office for Civil Rights (OCR), launches the first HIPAA compliance audits ever conducted. (It only took them 16 years!) The OCR is planning audits of 150 HIPAA-covered entities in 2012, including hospitals, physician and dental offices, labs, nursing homes and pharmacies. Security compliance will be a major part of the audit, and, in today’s world, that rests heavily on IT folks.
I recently read an article that describes information security as the Achilles heel of PHI. Unsecured storage devices, portable devices and the concept of BYOD (bring your own device) make data loss via theft or computer failure a very real issue – and a headache for any health care IT department. Plus, under HITECH, liability for a PHI breach is extended to business associates (i.e. third-party vendors, suppliers, consultants, contractors, etc.). So, if you’re in IT, you have to think about systems security with any business associate you work with.
I know Graphic Enterprises will be considered a business associate by many of our health care customers in Ohio and Pennsylvania who use the copiers, printers and document management systems we provide. In many cases, our equipment and software play a critical role in both HIPAA and HITECH issues and objectives.
If you’re reading this, chances are good that you’re not among the first 150 entities that are being audited this year. But, you can be sure you’ll eventually be under the microscope.
So, in this series of blog posts about HIPAA compliance audits, I want to help you get ready by discussing some of the IT security issues that face the health care industry and how you can minimize your risk – particularly with business associates and the use of copiers, printers, multi-function printers and document management systems.