A recent analysis of the first compliance audits for HIPAA, the nation's landmark health information security and privacy law, has found that small organizations are experiencing more difficulty than large ones in meeting the stringent IT security requirements of the regulation. According to Linda Sanches, who helped to supervise the audit process for the federal government, "HIPAA hasn't been a priority for several years...Risk assessments were done six years ago and haven't been looked at since."
The compliance audits were coordinated by the Office for Civil Rights, a division of the federal Department of Health and Human Services. These audits are required as part of the HITECH act, a law that stresses the importance of electronic health records, but also mandates much in the way of security to protect them from cyber criminal activity. This far, 20 initial HIPAA audits have been conducted. The preliminary results indicate that smaller organizations in particular are struggling to meet the security requirements for protecting information online; Sanches conceded that "larger institutions are getting better at that."
IT risk management personnel at smaller organizations should therefore pay particular attention to the issues identified as ‘trouble spots’ by the federal government's audit analysis. These issues include a diverse range of topics such as an organization's capacity to monitor user activity on a continuous basis in order to identify suspicious actions or troubling anomalies quickly. Small businesses also need to pay more attention to planning for contingencies and to their methods and policies when it comes to the re-use of data storage media or its destruction. Procedures for granting user access or modifying that access once it has been granted should also be carefully scrutinized to be sure that all mandated requirements are being met.
Privacy issues must also be considered. The initial HIPAA audits have indicated that organizations face several challenges in this regard as well. Small businesses need to pay more attention to how they deal with the personally identifiable information of individuals who have passed away and must in particular improve their verification measures in order to be more certain of the identify of individuals and businesses requesting access to personal health information.
These issues are challenging for SMBs since these businesses must often contend with limited resources. One way to use those resources to best advantage is to work with an IT consulting firm to assess current progress toward meeting all HIPAA mandates.