关键外卖:

  • 恢复HIPAA审核: HHS OCR将重新启动随机HIPAA审计,以确保符合数据隐私和安全.
  • 故障率高: 覆盖实体在过去的风险分析和管理审计中有80%以上不合格.
  • 执行重点: OCR将优先执行HIPAA安全规则的风险分析要求, 特别是对于较小的组织.
  • 制备方法: 组织应做好准备,保持准确的记录, 组建响应小组, 及时响应审计请求.

HIPAA审计:HSS OCR恢复HITECH法案

由于疫情,美国最初停止了援助.S. Department of Health 和 Human Services (HHS) Office for Civil Rights (OCR) revealed intentions to 恢复随机HIPAA审核 这个月.

这些审计旨在保证医疗保健机构遵守HIPAA, 所以要保护病人的隐私和安全. 这一行动表明了对HIPAA合规性的全新重视, 因此,这意味着可能会对医疗保健行业的违规行为进行处罚.

While 94% of covered businesses 和 88% of business associates failed the risk management audit, 86% of covered entities 和 83% of business associates failed the risk analysis audit during OCR’s previous set of audits carried out between 2016 和 2017.

根据卫生与公众服务部民权办公室主任的说法, 梅兰妮·方特斯·雷纳, the HIPAA Security Rule’s requirement for conducting a risk analysis will be a critical area of enforcement focus. Risk analysis continues to be a significant weakness among many regulated organizations of all sizes, 尤其是对于中小型企业. Poor risk analysis practices persist as a major contributing factor to many significant breaches reported to the agency.

什么是OCR HIPAA审核计划?

随着出版 由OCR审计协议, HHS provided healthcare covered entities 和 business associates great insight into the questions they may face if selected for an audit.

OCR HIPAA审核程序旨在分析流程, 控制, 以及选定的承保实体和业务伙伴的政策. The OCR has established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. 整个审计协议是围绕模块组织的, 代表不同的隐私元素, 安全, 违约通知.

协议的覆盖范围包括什么?

根据OCR, the combination of multiple requirements may vary based on the type of covered entity or business associate selected for review. 协议范围包括:

  • 隐私规则对(1)PHI隐私实践通知的要求, (2)要求PHI隐私保护的权利, (3)个人对PHI的访问, (4)行政要求, (5) PHI的使用和披露, (6) PHI的修正, (七)披露事项的会计处理.
  • 管理、物理和技术保障的安全规则需求.
  • 违反通知规则的要求.

最新的协议覆盖范围很广, with a total of 180 areas as opposed to 165 in the version used for the original Pilot 审计 program.

在OCR的指导下, this is a perfect time for organizations with compliance obligations under HIPAA to reexamine their adherence to the regulatory st和ards as well as their readiness for a possible audit. 在最后一小时匆忙回应审计请求并不是成功的秘诀.

我们如何为OCR审计做准备?

准备审计的时间是在你被选中之前. 如果你已经被选中了,我们仍然可以帮你准备.

现在是准备的时候了, 知道你可能会在某个时候被要求出示遵守规定的证据. 请记住,审计不是强制行动.

OCR审计的目标是什么?

The stated goal of the OCR audit program is to gauge overall HIPAA compliance across a wide variety of covered entities 和 business associates. The data is used by HHS to assess the overall health of cyber安全 in the industry 和 to identify where additional outreach or education might be necessary. 如果您被通知您的组织已被选中进行OCR审核, 以下指导方针将有助于您的回答.

如果你被选为OCR审计,动员起来!

组建你的团队. The team should include your privacy 和 安全 officials 和 your organization’s compliance officer (if you have one). It’s also a good idea to notify your internal 和/or external legal counsel so they can be kept apprised of all requests from the OCR 和 responses provided by you to the OCR. 让你的顾问随时待命,以便在必要时为你提供指导.

及时完整地回应. 如果通知您已被选中进行审计, 你也会得到如何以及何时回复的指示. There is documented evidence that being unresponsive will only make things worse for you if the OCR uncovers significant findings of non-compliance. 确保你在审计过程中保留所有交易的完整记录, 任命一个人来监督所有与审计相关的信件也是一个好主意.

OCR的一些额外指导要点包括:

  • 只有按时提交的数据才会被评估.
  • 所有文件必须是截止申请日期的最新文件.
  • 如果你的工作是办公桌审计, auditors will not have the opportunity to contact you for clarification or to request additional information, 因此,您的文档充分反映程序是至关重要的.
  • Do not submit extraneous information as it will increase the difficulty for the auditor to assess the required items.
  • 未能提交请求的答复可能导致转介进行区域合规审查.

Craft responses carefully 和 don’t be bashful about questioning findings that you believe to be inaccurate. 从历史上看,OCR允许组织对确定的问题做出响应.

Be prepared to justify your position with facts 和 explain your rationale for decisions about your compliance 和 安全 strategy. HIPAA在许多方面缺乏具体的指导,这对您是有利的, assuming you can demonstrate a thoughtful 和 reasonable approach to complying with all st和ards.

希望您的OCR审核能够顺利进行. If you have done a good job addressing compliance st和ards 和 building out your 安全 program, 这份报告几乎不需要后续行动. If not, you may be subject to voluntary compliance activities or a more in-depth compliance review.

合规 reviews that identify significant issues may require additional corrective action or lead to resolution agreements. 在这些情况下, 最好聘请精通OCR工作的律师和顾问.

如果您的OCR审核是正在进行的OCR审核计划的一部分, be aware that the purpose of the r和om audits is to gauge the compliance of the larger population. 不只是你. OCR负责为组织提供合规策略的教育和装备, 和 part of that mission necessarily includes a certain number of audits to find out how organizations are performing.

OCR审核准备清单

如果您的企业被选中进行OCR审计,以下是您的企业需要准备的内容:

  1. 进行全面的风险分析.
  2. 提供风险管理计划的证据; 包括已知风险的列表和解决这些风险的策略.
  3. 记录政策、过程和解释 他们的应用.
  4. 保持业务伙伴的库存; 以及相关合同和业务合作协议(BAAs).
  5. 说明ePHI存储位置; 涵盖内部存储、打印输出、移动设备、媒体和第三方.
  6. 监控移动设备和媒体; 比如u盘、cd和备份磁带.
  7. 文件泄露报告政策 并提供对违规行为的回应记录.
  8. 记录安全培训课程 已经进行过的.
  9. 显示加密功能的证据 保护敏感资料.

The OCR expects organizations to evaluate their procedures 和 the safety of ePHI with a high degree of objectivity. 如果你正在引入新的商业策略, 安装新资讯系统, 或者瞄准新市场, 您将需要分析每个计划的相关风险.

在他们的试点项目中, the OCR found that two-thirds of the organizations audited lacked a complete 和 accurate risk analysis.

确保合规性并保护您的组织, 进行彻底和精确的风险分析是至关重要的. Taking these steps now can help you avoid being part of that statistic 和 better prepare for an OCR audit. Prioritize your risk management efforts to protect your ePHI 和 maintain the integrity of your operations.

OCR审计要点清单

实现增长和医疗保健合规性的全面解决方案

虽然管理一家盈利的公司是必要的,但遵守法规只是强制性的. A strong information 安全 program gives your executive team vital underst和ing of the hazards your company runs across, 所以指导性决策. 提供合理的, 价格合理的解决方案迎合了您的特定风险情况、LBMC网络安全 distinguishes itself by producing actual outcomes 和 a clear return on investment.

LBMC 网络安全 shines in enabling healthcare companies to reach compliance 和 supporting expansion. 高级数据安全解决方案, 组织程序, 明升体育app下载数据安全专业团队非常了解医疗监管政策. 风险评估, 渗透测试, HIPAAHITRUST 评估, SOC 1和SOC 2审计 HIPAA映射, 安全项目咨询、CMS信息安全; GDPRACAB 评估, 入侵检测和防御, 漏洞管理包括我们完整的服务.

准备好检查你的安全问题了? 明升体育app下载的团队 确保您的医疗保健组织受到保护并符合要求.

提供的内容 亚当·纳恩加勒特Zickgraf、LBMC网络安全.