This summer, the Office for Civil Rights (OCR) began sending out preliminary surveys to healthcare providers in advance of the long-awaited (or long-dreaded) Phase 2 Health Insurance Portability and Accountability Act (HIPAA) audits. The audits are now slated to begin in early 2016, and as the start date looms ever closer, healthcare providers may be starting to panic.

It is expected that 350 covered entities and their business associates will be audited at random, and the OCR intends to investigate areas on which entities scored particularly low in Phase 1, including encryption, security, protected health information access and data breach notification. In other words, the OCR is cracking down on exactly the vulnerable areas that are contributing to the constant barrage of data breaches the healthcare industry has seen this year. 

The numbers speak for themselves. Last year, 282 data breaches in the healthcare sector affected at least 500 individuals each. Last year, the healthcare industry had already amassed 187 data breaches just through the end of May. Perhaps even more startling is the fact that those 187 breaches accounted for 34 percent of the industry’s records, exposing more than 84 million patients’ records. 

When you take all that information into account, it’s no wonder that the OCR is taking strides to ensure HIPAA compliance. After all, compliance is the first step toward understanding what your company is and isn’t doing to keep protected health information (PHI) secure. As technology changes and more information is stored electronically, it’s becoming harder and harder to keep patient information secure. Still, complying with HIPAA means that you have at least some safeguards in place, so preparing for the audits is a good idea for every medical professional, even if you don’t make the OCR’s cut.

Five Tips for Phase Two Audits

1. Find and encrypt your sensitive data. Make sure you know which of your sensitive files are encrypted, and identify other documents that may contain medical record numbers (MRNs), Social Security numbers (SSNs) or other sensitive bits of PHI. Develop a strategy for providing file-level encryption that will protect sensitive documents on mobile devices, where they’re the most vulnerable (and where your employees are most likely syncing files without protection.)

2. Make sure all security and privacy policies are up-to-date. HIPAA compliance is often about policies, so make sure to review your company’s in detail. Pay particular attention to policies governing device usage, bring your own device (BYOD) and integrity control. Be sure to read between the lines on policies, because you can bet your employees will. For example, if you have a BYOD policy, know that your company’s data – and even PHI – might be synced to employees’ mobile devices. Even if you’ve signed a Business Associate Agreement (BAA) with a cloud provider, know that your data won’t be protected on devices unless you’ve deployed a second layer of file-level encryption.

3.Know how you’ll respond to a data breach. Many companies fall victim to thinking that a data breach could never happen to them, but chances are that everyone will get hit with one eventually. In fact, more than 90 percent of healthcare organizations have experienced a data breach in the last five years. It’s a good idea to have a comprehensive procedure in place for dealing with it in-house, contacting affected patients, mitigating the effects and fixing vulnerabilities.

4. Understand how PHI gets shared in your organization. Are your records kept on paper? In shared Dropbox folders? In a password-protected portal? Who can access files and when? Who can share them with whom? Know how your PHI is stored and shared, and make sure your staff knows, too. What’s more, make a list of all third-party business associates such as lawyers, tech providers, accounting firms and transcription services who handle PHI, because business associates will be audited this time around as well, and they can often be your weakest security link.

5. Conduct your own audit. You don’t have to wait for OCR to evaluate your compliance and security measures. Hire a third party to conduct a preliminary audit. That way, you’ll still have time to fix any outstanding problems before the OCR comes calling. If you don’t end up being officially audited, you’ll still have a good grasp on your organization’s vulnerabilities and how to fix them.

Asaf Cidon is CEO and co-founder of Sookasa, a cloud security and encryption company that enables safe adoption of popular cloud services such as Dropbox and Google Drive to store sensitive information. For more information, visit

Digital Edition