The long-awaited second phase of the Health Insurance Portability and Accountability Act (HIPAA) audit program is finally upon us. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that it has selected Virginia-based FCi Federal as the vendor to conduct the next phase of HIPAA audits. Further, OCR has begun compiling the list of potential auditees for examination, which will include both covered entities and business associates.
It is important that potential auditees maintain readiness for audit examination because HIPAA noncompliance can be costly and disruptive to an organization. The most common deficiency found by OCR in its phase one audits was a failure of an organization to conduct a security risk assessment to identify and mitigate risks to protected health information (PHI), e.g., PHI on exposed servers, laptops unencrypted, default passwords not changed, security software not up-to-date, and inadequate training. As hard as it is to believe, this “lesson learned” still has not been implemented by many HIPAA entities, for as recently as a few weeks ago OCR announced a $750,000 settlement with Indiana-based Cancer Care Group, P.C., because it did not conduct an enterprise-wide risk analysis and implement follow-on device and media control policies to protect the transportation of unencrypted PHI. OCR contends that a risk assessment could have identified the control weakness.