Troy Young, chief technology officer at AdvancedMD and a cybersecurity expert, offers IT and infosec professionals some useful advice to help manage the potential of HIPAA audits.
for auditing and enforcing compliance with the HIPAA security and privacy regulations, as well as the additional rules and clarifications contained in HITECH.
OCR enforces privacy and security rules through compliance audits, education and outreach, and subsequent fines or mitigation expenses. OCR also works with the Department of Justice on possible criminal violations.
An OCR audit usually is triggered by one of two events: Either a complaint has been filed against the practice by a patient or an internal whistleblower, or the practice has reported a breach to OCR.
“Breaches affecting 500 individuals or more must be reported to OCR, in addition to other reporting requirements,” explained Troy Young, chief technology officer at AdvancedMD, a medical office platform vendor.
“However, there’s no direct correlation between the magnitude of a breach and OCR’s fine,” said Young, who recently completed a master’s degree in cybersecurity from Utah Valley University.