The Office of Civil Rights (OCR) has announced the roll out of Phase 2 of its HIPAA Audit Program. The program is already underway and will include both covered entities as well as business associates. Its intent is to identify best practices and proactively address any potential risks and/or vulnerabilities specific to protected health information (PHI). This will be the first time that business associates, including HIPAA compliant hosting partners, will be subject to these types of audits.
This announcement will likely have some hosting providers scrambling to prepare. This is especially true when coupled with the strong message sent by the OCR with the first ever HIPAA penalty imposed on a business associate. This breach involved a nonprofit organization, a $650,000 fine, and the theft of an unencrypted smartphone that was not password protected. The importance of compliance and password protection cannot be underscored when working with PHI. This is also a sign of what’s to come in terms of HIPAA enforcement by the OCR.
It’s critical to fully understand the different choices you have, and the associated requirements, when maintaining HIPAA compliance and the security of your data. It’s also important to be able to recognize and interpret different claims some providers make in promoting HIPAA compliant support. Does their package offer every HIPAA/HITECH compliant hosting service you need? If not, will you be charged extra for any additional requirements? Do they offer 24/7 monitoring? Do they proactively undergo an annual audit by a third party auditing firm?
Many are quick to imply that they can offer a HIPAA certification, or some other seal of approval that automatically protects you and the PHI under your care. This should be a red flag. Some will even go so far as to say that they or their systems are endorsed by the OCR. The reality is that the OCR does not endorse any persons, companies or products as being “HIPAA compliant.” Full transparency and awareness of potential pitfalls are more important than ever in this time where breaches are beginning to feel like regular occurrences.
Organizations that handle personal health information understand that HIPAA compliance is crucial. Recent actions by the OCR help to underscore the importance of making the best possible choices in who your business partners with. The comparison and selection of any business associate, including a hosting provider, should be a careful process.
As always, if you have any questions about HIPAA/HITECH compliance, please don’t hesitate to contact us.