The Office of civil rights (OCR) under Health and Human Services(HHS) began auditing covered entities from Nov 2011. They recently presented the results of their initial privacy and security audits of 20 covered entities. The results are briefly summarized below:
- Entities of all sizes and types were audited including Healthcare providers (10), health plans(8) and healthcare clearing houses(2). The 10 providers included 3 physicians,3 hospitals, 1 laboratory, 1 dental office, 1 nursing & custodial care facility, and 1 pharmacy. 4 of the 10 were small providers. So if you think that you are practice is small and hence may not be audited, think again!
- Healthcare providers have a lot more compliance issues than health plans and clearing houses
- Not surprisingly, small providers had more compliance issues than bigger providers.
- Security deficiencies are more than privacy deficiencies.
Ensuring the security and privacy of their patient health information, along with providing great care should be a top priority for any healthcare provider. It is the basis of establishing trust with the patient. The consequences of data breach and medical identity theft can be disastrous for both the provider as well as the patient. OCR is clearly serious about security and privacy of health information and intends to continue to conduct audits on a regular basis. This is the right time for all healthcare providers, especially small providers who have put off their compliance activities to initiate steps in that direction. You do not want to wait until you receive an audit notice to begin to address the security and privacy issues.