The OCR is coming, the OCR is coming !!
Phase 2 has begun
The Department of Health and Human Services' Office for Civil Rights ("OCR") previously concluded a pilot program which audited a small group of Covered Entities ("CEs") on their adherence to HIPAA regulations. That was just for starters. Phase 2 has commenced and by all accounts will have a vastly greater impact. It will not be limited to CEs, but will also include organizations known as Business Associates ("BAs") who do much of the heavy lifting in healthcare information technology.
The OCR will again be auditing for compliance to HIPAA regulations. The areas of intense focus will include security, risk analysis and risk management. This time, instead of being restricted to only a few organizations, all CEs and BAs will be eligible for selection. Those organizations which are chosen will undergo a comprehensive examination of their policies and procedures related to HIPAA privacy and security. If that wasn't enough, the OCR has warned participants that findings with substantial security lapses could warrant additional investigations.
The Crown Jewels
Data, including Protected Health Information ("PHI"), is seldom sedentary but has a vigorous lifecycle all its own. Being one of an organization's most precious assets, PHI may begin its life in one system or database and then journey to a host of other systems, databases and files. Without careful monitoring to keep track of where PHI travels and eventually lands coupled with a rigorous Entitlement Management process, there can be situations where an individual is prohibited from access to PHI in one database, but allowed access to the same PHI in another database. This is known as a "Toxic Combination".
The Dark Side
And then there is the 80% of an organization's data which lurks under the radar. It is concealed in software development and analytics environments where adequate data safeguards are often a "nice to have". It is here where many organizations truly lose control. Analysts and software developers often proliferate copies of PHI for expediency. With few documented policies specific to these environments, there is little thought about potential exposure of PHI in the rush to meet the next deadline. More frightening is the fact that many of the individuals working with PHI in these environments are journeymen. They may be contractors or an unnamed member of an outsourced organization in a remote corner of the world.
See the Light
Your organization may be content and comforted by the belief that you know where your PHI is situated. Compiled over time by anecdote and loosely maintained on spreadsheets, it is your security blanket in case of an audit. However, you may be in for a rude awakening when data is breached from previously unsuspected whereabouts. It is a critical to deploy a state-of-the-art tool to find where your PHI is hiding, tie it in to your access management information and start to truly mitigate your risks. You don't need to bring in an army of consultants, pick a tool that is easy to use and provides results quickly, or you can sit on your hands and just hope for the best.
And don't forget about the Dark Side of your data! Evaluate all the copies of PHI that are made, especially those that are being used by software developers and data analysts. Update your policies to mandate the cleansing of PHI where it does not belong and institute automated controlled distribution. Done properly, you can not only enhance security, but also diminish your distribution costs and accelerate analytics and software delivery.