Audits are being conducted by the Office for Civil Rights to ensure that proper HIPAA procedures are being followed by the medical community’s records offices. While OCR says the program is designed to make sure the approximately 200 officers being audited are complying with HIPAA, insiders in the tech industry are saying that the audits might not have the intended consequences.
One of the issues brought up by experts is the lack of guidelines being put forward by OCR. None of the 200 companies being audited even know what exactly they are being audited on.
Another issue is that the audit seems to be limited in scope and don’t seem to have a real goal of consumer protection. Only going through 200 or so programs and not actually giving a scope means that this is intended to be sort of a test run. Even OCR admits that they will be drawing up guidelines as a result of this audit process for future projects.
So what does that mean for us? It means that sometime in the future, that OCR will provide some best practices and procedures for health care organizations to follow with regard to HIPAA. Unfortunately, we have no idea when these procedures and best practices will come down the pipeline. In the meantime, all we can go by is a hunch of what is and what is not acceptable, even if we have done our due diligence in following the current guidelines.
At the end of the day, does this really protect patients and their privacy? Some experts don’t seem to think so. Breaches will continue to happen because of the medical industry’s poor protocols when handling data and the OCR’s weak attempts at setting guidelines.
Sure, OCR investigates breaches after they occur. Fines are levied, consumers are given free credit monitoring and then nothing else happens. This just leads to providers getting a slap on the wrist after the fact and OCR filling their coffers.
What needs to happen is a complete overhaul of how data is treated in the medical community. It lags behind other industries when it comes to encryption and security. OCR needs to set down absolute guidelines that protect our personal medical information. These audits need to be more widespread, with actual consequences for the violating party. It is imperative that OCR sets the highest standard possible for HIPAA compliance in technology.
Earlier pilot programs showed that these health care organizations had many instances of non-compliance, but unfortunately that has not led to large improvements in privacy for anyone involved. That is a problem that needs to be addressed immediately.