Skip to content Skip to navigation

Eight Reasons Why You Need to Audit Your Data Security Plan

September 2, 2016
by By Lee Barrett, Executive Director, EHNAC
| Reprints
Steps that hospital IT departments to take to ensure they are mitigating risk for their organization

No company is immune to a data breach that could severely compromise your records and your credibility with customers. Every healthcare company should have a data security and privacy plan that identifies potential threats and outlines how to deal with them.

You also should review your plan on a regular basis and have the plan audited by an appropriate agent. Healthcare security consultants, accrediting agencies and others can proactively audit your plans and make suggestions on how to improve.

While it’s highly unlikely that you’ll ever face a federal audit, a significant breach can trigger an investigation that includes your data and security plans. Having a plan may not assuage hefty fines if that plan hasn’t been tested through an audit.

Whether you’re a small provider, large provider, health system, billing company, health plan or healthcare vendor, the advice is the same: you need a plan and you need to audit it.

The eight reasons you need an audit can be divided into two categories: the bad things that can happen if you don’t do an audit, and the good things that can happen if you do.

First off, the bad:

  1. Think about the literal cost to your business, if your data gets into the wrong hands. In just the first six months of this year, the Office of Civil Rights (OCR) agreed to almost $15 million in settlement payments with covered entities and their business associates. In July alone, the agency compelled two health systems to pay a combined $5.5 million for violations of the Health Insurance Portability and Accountability Act (HIPAA) involving data breaches that affected 13,000 patient records. The fallout from just one corrupted patient data file can be breathtaking; one of the two offending health systems cited in July settled at a cost of $2,000 per record.                                                                                                                                                 

On average, it costs a healthcare organization more than $2.2 million and its business associates more than $1 million for a data breach. Is it worth risking that by taking an “it-can’t-happen-to-us” attitude?

  1. The chance of a data breach is greater than you think. The Ponemon Institute’s latest annual survey on healthcare data privacy and safety found that nine out of 10 healthcare organizations had reported a data breach within the past two years, and 45 percent of the respondents reported more than five such data thefts in that period. And if you’re a private practice or a general hospital, it’s more likely that you’ll sustain HIPAA violations that any other categories of healthcare providers.
  1. A breach won’t just cost you money. It’ll cost you your reputation and the confidence of the people who do business with you. A breach in excess of 500 records must be reported to the OCR, and appears on its public website. Meanwhile, local media and every patient that potentially could be affected must be notified. That kind of negative publicity could create another kind of breach: one of trust between your business partners and customers.
  1. Because even the smallest healthcare providers are using electronic health records systems, issuing prescriptions through digital apps and sharing data electronically with other care partners, a data breach can happen at any place where data is handled or transmitted within your organization. That involves every employee and every interface between electronic systems.

On the other hand, there are four compelling reasons why an audit can be a good thing.

  1. An audit is like life insurance for your business, and it’s not hard to find capable, reputable auditing bodies to perform one. While very small providers can’t afford full-time data security coverage, there are third-party resources available that can help healthcare practices determine the kind of security and privacy plan they need, set up that plan and proactively monitor it to protect those providers in case of a data breach or regulatory audit.
  1. Your data plan, which you can strengthen and validate by the voluntary audit you commission, can be so comprehensive that nothing is left to chance. It can include step-by-step instructions to undertake if a data breach or attack occurs, specific training for all relevant employees and specific responsibilities for business associates who may access sensitive information.
  1. Setting your own audit in motion will help you uncover any data system flaws or breaches that exist before they might come to the attention of the OCR, or the public. In fact, most data breaches (58 percent) are uncovered during audits and assessments.
  1. If you need in-depth auditing and accreditation services to protect your data and attest that it hasn’t been compromised, organizations such as the Electronic Healthcare Network Accreditation Commission (EHNAC) and other third-party organizations can furnish them. The benefits are considerable: in 2012, the Utah Health Information Network (UHIN) was one of just two clearinghouses with zero findings following an OCR audit. UHIN attributed its success to an earlier audit by EHNAC, where UHIN since 2004.

Four carrots and four sticks. Whatever motivation you need, your company must enact a plan for dealing with protected health information. A plan that’s checked regularly, updated periodically and audited occasionally to ensure your data is safe.




Sounds good. I wish every hospital had such plan. It's just much easier to manage data and to keep it safe.
I do agree that audit is a good thing and should be performed regularly.