Ostendio-MyVCM-Dashboard (1)

Last week the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released its version of a Security Risk Assessment tool to “help guide health care providers in small to medium sized offices”. This comes after their announcement in February to target 1,200 companies for proactive HIPAA audits, a third of which will be Business Associates (BAs).

All this activity follows criticism from some quarters that since introducing the Audit Protocols in 2011, the OCR has been largely ineffective at applying them. With other agencies seemingly stepping in to fill the void, the OCR is under increasing pressure to step up their game and show they are able to effectively police the HIPAA regulations.

So who will be affected? When the OCR conducted its first set of audits in 2011 to validate the Audit Protocol it mainly focused on large Covered Entities such as hospitals and health plans. This time around it has indicated it will be targeting Business Associates as well, but it is probably still safe to assume it will be more focused on larger enterprises rather than small to medium sized businesses. However, this does not mean SMBs should remain complacent as this exercise is part of a general acceleration of proactive auditing by the OCR and of course don’t forget should any company be guilty of a breach, then they immediately put themselves in the OCR strike zone.

Until now, for many small and medium sized business, managing HIPAA compliance has been more of a marketing initiative than a true exercise in managing and protecting sensitive data. This is not a criticism or a suggestion that these companies are trying to be deceptive, rather that there is an element of denial within the small to medium business community about compliance and a belief that, despite the changes in the law last year, they can continue to fly under the radar. This approach is driven by a lack of understanding about what they need to do to manage compliance.

The reality is that while obtaining compliance is a never-ending journey, the first steps are relatively simple. The OCR comes down hardest on companies that have never conducted a risk assessment which is why they have now released their own Risk Assessment tool. They are making it clear there is no excuse for not completing a risk assessment indicating a preference for companies that know where their vulnerabilities are to those that don’t. Sticking your head in the sand, or assuming that good IT practices are sufficient will only result in a stiffer penalty. It is much better to learn what you need to do and to get started down that path even if you can only do this slowly. As a smaller organization you are not expected to employ the same level of tools or resources to manage compliance but you are expected to know what compliance looks like and to have a plan to achieve it.

Despite these recent announcements it is unlikely as a small to medium business that you need to be looking over your shoulder worried about a proactive OCR audit. That day may still come, but in the interim you need to be sure you are taking the appropriate actions just in case you find yourself under the microscope for less random reasons. And that starts by conducting your own Risk Assessment. You can find more about how to manage your compliance at http://ostendio.com.

Resources:Security 101: Security Risk Analysis – Risk Assessment | Compliance 101: MyVCM High Level Risk Assessment