HealthITSecurity.com has a very good article called What the HIPAA Omnibus Rule meant for healthcare in 2013
They give a good overview of the HIPAA Omnibus Rule and its impact. What I found even more interesting is some of the comments by OCR regarding their plans for 2014. It gives clear insight into the permanent HIPAA audit program being setup in 2014. The audit program will look at Business Associates as well as HIPAA Covered Entities.
(OCR Director Leon)Rodriguez explained that major security failures, egregious HIPAA violations and failure to provide access in combination with a breach are three main types of major enforcement cases that can help project how OCR will analyze future breaches. “I think we’re going to find that there were a lot of covered entities that didn’t realize they have BAs and BAs that didn’t know they were BAs,” Rodriguez said.
The 2014 audits will not be as broad as the pilot audits in 2012. This will allow OCR to conduct a lot more audits.
Additionally, Rodriguez said OCR will not use 200 points of auditing again. He wants to reach more organizations annually in a targeted manner and despite OCR having a multi-million dollar appropriation from the HITECH Act to conduct the pilots, Rodriguez wants to use the funds in a more widely-distributed way for the 2014 audits. “This way, we can see change year-by-year, depending on where we’re seeing vulnerabilities, and one focus in the audits will be on risk analysis,” he said.
Again it is clear that OCR is going to ask to see an organization’s HIPAA Risk Assessment / Risk Analysis. Not being able to produce a thorough Risk Assessment will lead to higher fines. For more proof take a look at the settlement APDerm recently reached for not having a Risk Assessment and not having HIPAA Policies and Procedures.
Understand a HIPAA Risk Assessment
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process