Leoz of OCR said the audits will review covered entities' approach to HIPAA compliance. He said the audits would lead to more preventative measures entities can take rather than creating a reactive culture. Leoz added there would be an increased potential for learning among covered entities because of these audits.
About 20 to 25 covered entities will be part of a testing phase. "We're going to try to look at different types of covered entities," he said. OCR's contractor will look for what programs different kinds of covered entities have in place.
"We will give an advance notice of the audit," Leoz said. "There will be a comprehensive data request and some on-site visits from OCR contractors who will interview covered entities' staffs."
2012 – and down the road
As for your organization's HIPAA 2012 and beyond compliance efforts?
The important information security ventures for an organization in 2012 will be encryption, encryption and encryption, Pabrai said.
William R. Braithwaite, MD, PhD, and chief medical officer at Anakam, Inc., said at the Summit that the healthcare industry needs to have strong authentication. And for patients who want remote access to their records it needs to be multi-factor authentication. Braithwaite is known as "Doctor HIPAA."
For instance, have patients enter a username/password, then send an alert from that log-in that goes to a cell phone to give the patient another code for access.
And as for tracking who's looking at what, that can't be a generic effort, Pabrai says.
"There are too many generic accounts across the industry where you cannot trace an action back to an individual," Pabrai said. "The user has to be able to trace things back to individuals, and you just cannot do that with generic accounts."
And don't forget social media, Pabrai said, because hospital employees can transmit information across a 3G or a 4G network and not through an organization's firewall system.
"You may take a photograph now, and you're transmitting that information about patients across a network structure that even the best organizations with the best security controls cannot" protect.
Social media, Pabrai said, is an "area of significant challenge."
Hopefully it is for those three percent Pabrai mentioned as well.