The latest Healthcare Information Security Today survey conducted by Information Security Media Group, released in June of this year, reveals that many covered entities which must observe HIPAA compliance are overconfident about passing the next phase HIPAA compliance audits.
The survey showed that nearly 80 percent of entities who participated in the survey felt “confident” or “somewhat confident” that they would pass a HIPAA compliance audit by the Department of Health and Human Service's Office for Civil Rights with minimal non-compliance issues. This percentage differs significantly, however, from how many entities today seem to be observing proper compliance. Many entities, for example, have yet to implement key technologies and practices that would protect personal health information against today’s emerging cyberthreats, including those measures outlined in the HIPAA Security Rule.
Additional statistics from the survey reveal just how many entities may be at risk for non-compliance with HIPAA’s Privacy Rule. When asked whether their organization conducted a security risk assessment last year, only about 75 percent of entities responded in the affirmative. Failure to perform a thorough security risk assessment happens to be the most common non-compliance issue cited by OCR during HIPAA breach investigations, meaning that compliance numbers are already falling below compliance confidence levels. Another statistic reveals that despite increasing instances of lost or stolen unencrypted devices—a trend responsible for the majority of health data breaches since 2009—only about 60 percent of surveyed entities require encryption on portable devices and media.
The survey also gave insight into how organizations handle HIPAA compliance with their business associates and their subcontractors. Under the HIPAA Omnibus Rule that went into effect in 2013, these business associates and their subcontractors are directly liable for HIPAA compliance. Yet only 26 percent of entities asked their business associates to provide a copy of a security audit; only 24 percent obtained a copy of their security policies; and only 15 percent have enlisted third-party validation of their policies and procedures.
The bottom line is that HIPAA compliance remains top priority, yet many entities around the country are overconfident about their own compliance. This could be because entities are putting too much focus on improving regulatory compliance, rather than on improving overall information security to guard protected health information against today’s now-common security breaches.