Earlier this summer, the U.S. Department of Health and Human Services conducted its first audit under the Health Insurance Portability and Accountability Act security provisions. Understandably, it got a lot of coverage just because it was the first of its kind.
Now, it seems the agency is ramping up its audit efforts. Computerworld reports:
[T]he U.S. Department of Health and Human Services (HHS) is starting to swing the enforcement rule -- a dowdy part of the Health Insurance Portability and Accountability Act (HIPAA) that few people read -- like a scythe in a field of weedy policies and overgrown practices.
Not that this shouldn't be expected, writer Jon Espenschied says, given the steep increase in emphasis on "governance reform and example-making." And companies need to realize that they will be held responsible for breaches within their organizations. As an example, he points to San Diego's Council of Community Clinics' experience with a disgruntled former employee who returned and destroyed patient records:
When a systems or network administrator with broad access leaves an organization, hand-waving does not constitute proper revocation of access. Sure, the reality of working in a small organization means that separation of duties may be a luxury (and the HIPAA rules allow more leeway for small health care providers). However, that's no excuse for lack of monitoring to the degree that one simply does not know what the administrator installed or had access to, nor is it an excuse for failing to close off access before a new administrator arrives.