Watch out, channel pros. The feds are about to start auditing healthcare providers for HIPAA compliance, and they’ve got small and midsize practices squarely in their sites.
The Health Insurance Portability and Accountability Act includes strict data privacy provisions covering anyone who handles private medical data. Though the law has been in effect for years, the federal government has only performed rigorous compliance checks once before, in 2012.
“What they found out with those audits was that smaller practices were less likely to even really pay attention to compliance than the big organizations,” says Mike Semel, CEO of Semel Consulting LLC, a HIPAA compliance advisory firm in Las Vegas.
As a result, healthcare SMBs are likely to be prominent targets when the government launches a second wave of audits it has promised for later this year. Failing those tests could have severe consequences too, according to Michael Mittel, president and CEO of RapidFire Tools Inc., an IT assessment software maker based in Atlanta.
“The penalties are very, very stiff,” he says, and the damage to an organization’s reputation can be even more expensive. “A business might not be able to survive that.”
And it gets worse. HIPAA’s security code applies to both care providers and their “business associates,” including IT providers. Audits affecting your clients will probably encompass your company as well, and if you flunk so does your customer even if they’re otherwise fully compliant.
“You could actually cause your client to fail the audit,” Semel says.
Preemptively auditing not just your clients’ environments but your own can spare you that fate, but it is easier said than done.
“It's kind of an arduous, tedious process,” Mittel states, which is why Network Detective, his company’s flagship IT inspection solution, offers a HIPAA compliance module that helps automate the work. Designed to anticipate the questions an auditor would ask, the system analyzes infrastructures for risk violations, ranks them by severity, and draws up remediation and management plans.
“The reports form a foundation for ongoing compliance,” Mittel says.
The time to starting building such a foundation is now, too. The government has said it will publish a protocol for the new audits, as required by law, in April, and then accept public comment on it. But don’t expect the government to dawdle, Semel warns. Congress is leaning on administrators to get serious about privacy violators in a hurry.
“There’s sort of a fire lit under the agency to get this done,” he says. Federal inspectors should be knocking on doors well before the end of this year.