HIPAA Summit West: 1 in 4 Organizations Report Data Breaches
Leoz of OCR said the audits will review covered entities' approach to HIPAA compliance. He said the audits would lead to more preventative measures entities can take rather than creating a reactive culture. Leoz added there would be an increased potential for learning among covered entities because of these audits.
About 20 to 25 covered entities will be part of a testing phase. "We're going to try to look at different types of covered entities," he said. OCR's contractor will look for what programs different kinds of covered entities have in place.
"We will give an advance notice of the audit," Leoz said. "There will be a comprehensive data request and some on-site visits from OCR contractors who will interview covered entities' staffs."
2012 – and down the road
As for your organization's HIPAA 2012 and beyond compliance efforts?
The important information security ventures for an organization in 2012 will be encryption, encryption and encryption, Pabrai said.
William R. Braithwaite, MD, PhD, and chief medical officer at Anakam, Inc., said at the Summit that the healthcare industry needs to have strong authentication. And for patients who want remote access to their records it needs to be multi-factor authentication. Braithwaite is known as "Doctor HIPAA."
For instance, have patients enter a username/password, then send an alert from that log-in that goes to a cell phone to give the patient another code for access.
And as for tracking who's looking at what, that can't be a generic effort, Pabrai says.
"There are too many generic accounts across the industry where you cannot trace an action back to an individual," Pabrai said. "The user has to be able to trace things back to individuals, and you just cannot do that with generic accounts."
And don't forget social media, Pabrai said, because hospital employees can transmit information across a 3G or a 4G network and not through an organization's firewall system.
"You may take a photograph now, and you're transmitting that information about patients across a network structure that even the best organizations with the best security controls cannot" protect.
Social media, Pabrai said, is an "area of significant challenge."
Hopefully it is for those three percent Pabrai mentioned as well.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- Half of All Primary Care, Internal Medicine Jobs Unfilled in 2013
- How Digital Strategy Shapes Patient Engagement at Boston Children's Hospital
- CFO Exchange: Smartphones Poised to Disrupt Healthcare, Says Topol
- CNO on Hospital Redesign: 'You Can't Over-Communicate'
- Carondelet to Pay $35M to Settle Fraud Allegations
- Some Cancer Hospitals' Quality Data Will Soon Be Public
- CA Powers Up $80M HIE to 'Create Value in the Data'
- 3 Traits Personality Assessments Can't Reveal
- PA Ranks See 'Phenomenal Growth,' Lack of Diversity
- TJC Warns Hospitals of Deadly Medical Tubing Mistakes