Preparing for Round 2 of HIPAA Audits

The HHS Office of Civil Rights is gearing up for round two of HIPAA compliance audits. What should security leaders expect, and how should they prepare? David Holtzman of CynergisTek and Geoff Bibby of Zix offer insights and advice.

To start with, covered entities should recognize that their odds of being audited are far greater than they were in round one, and OCR has made no bones about what it expects to examine for compliance.

"It will be sort of like an open-book examination at school," says Holtzman, a former senior advisor at OCR. "You know what the questions are going to be before they're even asked."

Entities need to be prepared to present information about their risk assessments, risk management plans, privacy programs, breach notification plans - and especially about their business associate relationships, Holtzman says.

"I urge folks to prepare themselves not just for the questions they will be asked ... but also how they're going to be prepared to provide this information about their business associates," he says.

A key component of security is to ensure that any email correspondence that contains personal health information - whether in correspondence with a patient, caregiver or third-party - is encrypted.

"Adding email encryption is really rather simple," says Bibby, VP of Marketing at Zix. "You can have a policy gateway at the perimeter of your network that will scan messages as they leave and enter the enterprise, look for sensitive information, and as soon as it detects that there is PHI within the message, it will immediately trigger encryption."

In an interview about preparing for round 2 of the HIPAA audits, Holtzman and Bibby discuss:

What covered entities should expect from auditors; The new emphasis on business associates; The role of email security in helping to ensure compliance.

Holtzman joined the information security consulting firm CynergisTek in 2013, where he serves as vice president of privacy and security compliance services. Previously, the attorney was a senior adviser at the Department of Health and Human Services' Office for Civil Rights, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. Earlier, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.

Bibby joined Zix in September 2003 and serves as Vice President of Marketing. He has more than 15 years of experience in high tech marketing. Prior to Zix, he spent six years at Entrust Inc., an internet security vendor, where he served in various management roles, including Marketing Director for Entrust European operations.