Ex-OCR adviser offers HIPAA auditing tips

Attorney David Holtzman, former senior adviser at the U.S. Department of Health & Human Services Office for Civil Rights, expects OCR will begin its HIPAA audit program in April, and says it's important for providers to be prepared from all angles.

To that end, Holtzman, in a recent interview with HealthcareInfoSecurity, stresses the importance on encryption of end-user devices.

"When I look at breach reports, [a majority of] breaches involve lost or stolen devices that are not encrypted," Holtzman says. "Encryption on end-user devices will be something that will be looked at quite carefully."

Among other key areas auditors will examine, according to Holtzman: contingency planning and risk assessments.

"In addition, contingency planning and having appropriate data backups I know is a major concern," he says. For example, he says, in the aftermath of Super Storm Sandy in October 2012, lots of healthcare providers had their records--both in paper and electronic form--flooded out.

"I do know this is an area of special concern to [HHS], and they want to work with healthcare providers to raise awareness and expectations," Holtzman says.

Indeed, the Office of the National Coordinator for Health IT will soon be releasing a security risk assessment tool, representatives from the agency announced at HIMSS.

The tool, which is ONC's first app, will help providers with a key part of the security risk assessment process many often inadvertently slack on--documentation. The tool will be released in a few weeks, according to Joy Pritts, chief privacy officer at ONC.

Holtzman also says that organizations need to take steps to improve their overall security beyond just HIPAA compliance, and must have documents ready in case of an investigation.

As FierceHealthIT's Dan Bowman wrote in a recent editorial, as if data breaches weren't already painful enough for hospital CIOs with the new HIPAA rules, now it appears that government regulation may not end with the Office for Civil Rights.

The Federal Trade Commission, in January, disagreed with Atlanta-based medical testing laboratory LabMD that the company was not subject to FTC security enforcement since it already was considered a covered entity under the Health Insurance Portability and Accountability Act. That means organizations could be dinged by both OCR and the FTC for a data breach.

To learn more:
- here's the full interview