HIPAA audits focus on the role of the cloud
In our second issue of our blog series on HIPAA compliance, we look deeper into the OCR’s Phase 2 audit program and it’s implications for cloud services users. You can read our first installment about the importance of risk management to ensure compliance here.
OCR Phase 2 HIPAA audit programs highlight cloud services
The Office for Civil Rights (OCR), part of the U.S. Department of Health and Human Services responsible for HIPAA enforcement announced that their Phase 2 program this year would begin this year. This will increase the number of audits of healthcare providers. And those audits will specifically focus on whether providers are doing the required risk assessments and have Business Associate Agreements in place with third party providers.
Are you ready for a HIPAA audit?
When you evaluate your readiness for an audit, you need to take special account of your IT services in the cloud.
Many cloud applications, including email, file-sharing, and even voice services, can contain the protected health information (PHI) that is relevant to HIPAA. So, identifying these services as part of your risk assessment process is the first recommended course of action. Having a Business Associate Agreement (BAA) with each relevant service provider is the next step.
Once you know what cloud services are holding PHI, you need to make sure you have a Business Associate Agreement (BAA) with each relevant service provider.
Some providers have already been hit with penalties
The OCR has already issued fines this year for missing BAAs and risk assessments as part of several published enforcement actions.
In March, North Memorial Health Care of Minnesota was ordered to pay $1.55M for both failing to obtain a BAA for a vendor and for failing to properly conduct a risk assessment. A laptop owned by the vendor was stolen, and unfortunately, it contained the unencrypted records of almost 10,000 patients. North Memorial is now required to comply with a Corrective Action Plan (CAP) put forth by the Department of Health and Human Services.
And in April, Raleigh Orthopaedic Clinic, P.A. of North Carolina was fined $750,000 for failing to get a BAA from a vendor. What’s worse is that the vendor wasn’t even a legitimate business, but actually a scam. The clinic hadn’t properly vetted the vendor to see if they actually were a business associate under HIPAA definitions. In addition to the fine, Raleigh Orthopaedic has to put several risk management practices in place to prevent this type of issue from happening again.
Don’t fail your next HIPAA audit
With HIPAA compliance you really need to dot all the “i”s and cross all “t”s. Conducting a thorough risk assessment and developing strong risk management practices will go a long way to ensuring that you’re ready if the OCR comes knocking.
If you’re in the market for HIPAA compliant cloud IT services, you might consider Intermedia. We have put together a comprehensive package of IT services with powerful security and reliability baked right in. If you have any questions, feel free to call our experts at 800-379-7729.