The Sookasa Blog

Phase 2 of HIPAA audits launch—with a focus on technology and encryption

After a yearlong delay—and a lot of uncertainty—Phase 2 of the national HIPAA compliance audits is finally underway. The Department of Health and Human Services Office for Civil Rights (OCR), which runs the audits, sent out pre-screening surveys last month to a pool of up to 800 organizations, from which 350 will be randomly selected for an audit. Focusing on areas flagged in the first round of audits, this phase will scrutinize healthcare organizations’ approaches to security and privacy. And while the waiting game no doubt spurred some organizations into action, it will be interesting to see what work remains to be done to uphold all of HIPAA’s complicated standards, especially when it comes to technology.

The first phase of the audits was completed in 2012, but this second phase will include some major changes. Not only does it apply to covered entities (doctors, pharmacies, insurance companies, HMOs, etc.) like Phase 1 did, but it will also audit business associates, which HHS only recently started requiring to be HIPAA compliant. This move acknowledges that it’s no longer just health care providers who handle patients’ protected health information (PHI), but also attorneys, accountants, and others—and it shows that they can all be held accountable if they’re not complying with HIPAA.

HIPAA compliance is essential wherever PHI is concerned, because it ensures that sensitive information is protected against potential devastating breaches. More than 90 percent of healthcare organizations have suffered a data breach, and more than 40 percent have had more than five breaches in the last two years. Because the nature of health care requires so much personal information from patients, this incidence of breaches is troubling, and the problem areas causing the breaches must be identified. The audits are a good step in that direction.

Whereas Phase 1 of the HIPAA audits provided a comprehensive overview of all HIPAA standards, Phase 2 is focusing on the areas of highest risk that the overview provided. These include risk assessment, encryption, breach notification and incident response, access controls, and logging, among others. In other words, Phase 2 is focusing much of its efforts on the technologies that health care providers are using to store and share patient information.

So what can a healthcare organization do to adequately prepare for an audit (either now or in the future)? First of all, make sure your PHI has been encrypted and stored safely in the cloud. By now we know that on-premise network security is vulnerable, and doctors, pharmacists, and especially patients want the ease of communication and sharing that the cloud provides. PHI can be stored in the cloud securely if it’s encrypted before it gets there, thereby staying encrypted anywhere it travels—whether that’s by email to a pharmacy, via a shared folder to a surgeon on another floor of the hospital, or through a Dropbox link an attorney can open on her phone to access a patient’s records.

Organizations should also prepare for the audits by making sure that all policies and procedures are up to date, conducting a risk assessment, compiling a list of business associates, and ensuring the breach notification policy is sound.

In many ways, using the cloud makes complying with HIPAA easier, and this round of audits might prove that. But if there’s one thing that’s already been made clear, it’s that close attention is being paid to the way technology is being used in the healthcare realm—and it will only grow in importance.