关键外卖:

  • 恢复HIPAA审核: HHS OCR将重新启动随机HIPAA审计,以确保符合数据隐私和安全.
  • 故障率高: Covered entities failed over 80% of past audits in risk analysis and management.
  • 执行重点: OCR will prioritize enforcing the HIPAA Security Rule’s risk analysis requirement, 特别是对于较小的组织.
  • 制备方法: Organizations should prepare by keeping accurate records, 组建响应小组, 及时响应审计请求.

HSS OCR将恢复HIPAA审核

The U.S. 美国卫生与公众服务部(HHS)民权办公室(OCR)宣布计划 恢复随机HIPAA审核 this month, which they had paused due to the pandemic.

These audits aim to ensure healthcare entities comply with HIPAA regulations, safeguarding patient data privacy and security. The move indicates a renewed focus on HIPAA enforcement, signaling potential consequences for non-compliance in the healthcare sector.

During OCR’s last round of audits conducted between 2016 and 2017, 86% of covered entities and 83% of business associates failed the risk analysis audit, 而94%的受保实体和88%的业务伙伴未能通过风险管理审计.

According to the Director of HHS’ Office for Civil Rights, 梅兰妮·方特斯·雷纳, HIPAA安全规则对进行风险分析的要求将是执行重点的关键领域. 风险分析仍然是许多各种规模的受监管组织的一个重大弱点, but especially for medium- and smaller-sized organizations. 糟糕的风险分析实践一直是向该机构报告的许多重大违规行为的主要促成因素.

什么是OCR HIPAA审核计划?

随着出版 由OCR审计协议, 卫生与公众服务部为医疗保健覆盖实体和商业伙伴提供了深入了解他们在被选中进行审计时可能面临的问题的信息.

The OCR HIPAA Audit program is designed to analyze processes, controls, and policies of selected covered entities and business associates. OCR建立了一个全面的审计协议,其中包含通过这些绩效审计评估的需求. The entire audit protocol is organized around modules, 代表不同的隐私元素, security, 违约通知.

协议的覆盖范围包括什么?

根据OCR, 多个需求的组合可能会根据选择进行审查的覆盖实体或业务伙伴的类型而变化. 协议范围包括:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3)个人对PHI的访问, (4)行政要求, (5) PHI的使用和披露, (6) PHI的修正, (七)披露事项的会计处理.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Requirements for the Breach Notification Rule.

The most recent protocol is broad in its coverage, 总共有180个领域,而在最初的试点审计计划中使用的版本中有165个领域.

在OCR的指导下, 对于在HIPAA下有合规义务的组织来说,这是一个完美的时机,可以重新检查他们对监管标准的遵守情况,以及他们是否准备好接受可能的审计. Scrambling at the last hour to respond to an audit request is not a recipe for success.

我们如何为OCR审计做准备?

The time to prepare for an audit is before you have been selected. If you’ve already been selected, we can still get you ready.

现在是准备的时候了, knowing that you might be called on at some point to show evidence of compliance. Keep in mind that audits are NOT enforcement actions.

OCR审计的目标是什么?

OCR审计计划的既定目标是衡量各种覆盖实体和业务伙伴的总体HIPAA遵从性. 这些数据被HHS用于评估行业网络安全的整体健康状况,并确定哪些地方可能需要额外的推广或教育. If you are notified that your organization has been chosen for an OCR audit, the following guidelines will assist your response.

If You Are Chosen for an OCR Audit, Mobilize!

组建你的团队. 该团队应该包括您的隐私和安全官员以及您组织的合规官员(如果您有的话)。. 通知你的内部和/或外部法律顾问也是一个好主意,这样他们就可以随时了解OCR的所有请求和你向OCR提供的回复. Keep your counsel on standby to provide you with guidance if necessary.

及时完整地回应. If you are notified that you have been selected for an audit, you will also get instructions on how and when to reply. 有书面证据表明,如果OCR发现了重大的违规行为,不回应只会让事情变得更糟. Make sure you keep thorough records of all transactions during the audit process, and it’s a good idea to appoint one person to oversee all audit-related correspondence.

A few additional guidance points from the OCR include:

  • Only requested data submitted on time will be assessed.
  • All documentation must be current as of the date of the request.
  • 如果你的工作是办公桌审计, 审核员将没有机会与您联系以澄清或要求提供额外信息, so it is critical that your documents adequately reflect the program.
  • 不要提交多余的信息,因为这会增加审核员评估所需项目的难度.
  • 未能提交请求的答复可能导致转介进行区域合规审查.

精心设计回答,不要羞于质疑你认为不准确的发现. Historically, the OCR has allowed organizations to respond to identified issues.

准备好用事实来证明你的立场,并解释你关于遵从性和安全策略决策的基本原理. There are many areas where HIPAA’s lack of specific direction works in your favor, 假设您可以演示符合所有标准的深思熟虑和合理的方法.

希望您的OCR审核能够顺利进行. 如果您在处理遵从性标准和构建安全程序方面做得很好, the report will require little or no follow-up. 如果没有,您可能会受到自愿合规活动或更深入的合规审查的影响.

识别重大问题的合规性审查可能需要额外的纠正措施或导致解决协议. 在这些情况下, 最好聘请精通OCR工作的律师和顾问.

If your OCR audit is part of the ongoing OCR audit program, 请注意,随机审计的目的是衡量更大群体的遵从性. 不只是你. OCR负责为组织提供合规策略的教育和装备, 这项任务的一部分必然包括一定数量的审计,以找出组织的执行情况.

OCR审核准备清单

Here’s what your business will want to have prepared if you are selected for an OCR audit:

  1. 进行全面的风险分析.
  2. 提供风险管理计划的证据; including a list of known risks and strategies for addressing them.
  3. 文件政策、程序、 and descriptions detailing their implementation.
  4. Maintain inventories of business associates, along with relevant contracts and Business Associate Agreements (BAAs).
  5. 说明ePHI存储位置; covering internal storage, printouts, mobile devices, media, and third parties.
  6. 监控移动设备和媒体; 比如u盘、cd和备份磁带.
  7. 文件泄露报告政策 and provide records of responses to breaches.
  8. 记录安全培训课程 已经进行过的.
  9. 显示加密功能的证据 保护敏感资料.

OCR期望组织以高度客观的态度评估其程序和ePHI的安全性. If you are introducing new business strategies, 安装新资讯系统, 或者瞄准新市场, you will be required to analyze the associated risks for each initiative.

在他们的试点项目中, OCR发现三分之二的被审计组织缺乏完整和准确的风险分析.

To ensure compliance and safeguard your organization, it is crucial to conduct a thorough and precise risk analysis. 现在采取这些步骤可以帮助您避免成为该统计数据的一部分,并更好地为OCR审计做准备. 优先考虑您的风险管理工作,以保护您的ePHI并保持您运营的完整性.

OCR审计要点清单

Comprehensive Solutions for Healthcare Compliance and Growth

While regulatory compliance is mandatory, so is operating a successful business. 一个健壮的信息安全计划可以为您的组织所面临的风险提供必要的洞察, allowing your executive team to make informed decisions. LBMC 网络安全 stands out by offering practical, cost-effective solutions tailored to your specific risk environment, leading to real results and a measurable return on investment.

LBMC网络安全在帮助医疗保健组织在支持增长的同时实现合规性方面表现出色. Our team of data security experts has in-depth knowledge of healthcare regulatory policies, 组织流程, 以及先进的数据安全解决方案. 明升体育app下载综合服务包括 风险评估, 渗透测试, HIPAA and HITRUST 评估, SOC 1和SOC 2审计 HIPAA映射, 安全项目咨询、CMS信息安全; GDPR and ACAB 评估, intrusion detection and prevention, and vulnerability management.

准备好讨论你的安全问题了? 明升体育app下载的团队 to ensure your healthcare organization is protected and compliant.

提供的内容 Adam Nunn and 加勒特Zickgraf、LBMC网络安全.