OCR Audit Letter example of a possible audit review
For years we here at Mediprocity have been discussing the risks of not encrypting your patient health information in light of the new Final HIPAA Omnibus Rule (2013). Overall, we have found that most potential customers are concerned and aware of the regulations, but that certainly doesn't mean the majority are in a big hurry to secure themselves. There are those organizations however who take it very seriously and have fully encrypted their data, put policies in place and performed their annual risk analysis. More often than not though, many are still on the fence, especially when it comes to secure text messaging.
In light of the recent Anthem attack, many legislators are discussing making encryption mandatory and not voluntary. This would be an ideal choice as standards to protect are much more cost-effective than if an actual breach occured. Not only the fines but the cost to defend your organization as well as the costs of your business reputation are so high this should be a no brainer in 2015. Borrowing from the old California milk campaign that worked so well for 21 years, healthcare needs to call the firm and begin a new one... "Got Encryption?!"
If you are still trying to decide what is best for your organization, or taking time to find the security firm that has 100% of the bells and whistles you are want, then the question must be asked... "what would you do if you received a letter from the OCR?"
OCR "Office of Civil Rights" who oversees HIPAA sends an audit letter to your organization. Your organization is less than 10 employees and you received this letter because either a covered entity or business associate you do business with had a breach. Now you are being investigated.
You have 20 days to respond to the following items which include:
1) A full written response to the allegations
2) All documentation associated with the allegations
3) Records showing your most recent risk assessment
4) During your assessment did you discover a breach
5) Copies of your policies and procedures for PHI safeguarding
6) Risk analysis per 45 C.F.R 164.308(a)(1)(ii)
7) Evidence of your systems (access, activity, security levels)
8) Evidence of network scans and penetration tests
9) Copy of policy 45 C.F.R 164.308(a)(4)
10) Copy of your training materials and evidence they are put into daily practice
11) Evidence of malicious software protection
12) Backup procedures and evidence of these
13) Evidence of technial access controls
14) Evidence of network security
15) Details of network security
Then you must add the full name and title of the individual(s) responsible for all requests. YOU HAVE 20 DAYS of receipt of this letter.
If you are the type of organization that is still working to put together your policy, and you have nothing in place around mobile devices except "we tell our staff not to use", how do you think that will go over in your response? How do you think it will go over if you can't answer most of these questions?
Now, let's reverse that to where you can send them your full risk analysis, network security information in detail and you have your email and mobile devices fully encrypted.
Sign up today and see just how easy it is to protect your organization using Mediprocity! In fact, Mediprocity goes further than just HIPAA protection - we can help change the way you communicate healthcare information!
Check our partners for more protection services:
Keystone IT -- network management and analysis
Working Security -- penetration tests and system tests
HIPAAtrek -- great resource for getting your documents in order for HIPAA
LuxSci -- full email encryption that is integrated with Mediprocity