3. Be ready. No matter how much bolstering and toughening up a security protocol gets, that can't guarantee that it will pass OCR's muster. With 2012 being a bully year for the Office's audit program and 2013 looking to step up that number, Barrett says it's a sound investment to devote resources to being prepared for an audit. "Go through your risk assessments now, go through policies and procedures and if necessary and you feel it's appropriate, have a third party review your infrastructure," says Barrett. "Organizations that are prepared were able to pass the OCR audit." He adds that the costs of a third party audit can be high, but that it may be money well spent when the alternative of a failed audit, or worse an actual breach, can toll a healthcare organization even more. "Organizations that have breaches, the PR disaster was greater than the resulting fine," he says.

4. Know your neighbors. In many respects, a hospital is only as secure as the companies it works with are. PHI is PHI, and it doesn't matter who has it- if it is insecure it reflects poorly on the organization that collected it in the first place. Barrett says that to guarantee PHI safety and fare better in an audit, organizations should look to partner with organizations that have undergone a third party review of their own. "They can demonstrate that the meet the bar and can meet the appropriate controls," he says. Barrett lists some requirements that should form a baseline in what an organization would want to see in a potential partner: they "must refrain from selling or otherwise using PHI in such a way as to violate privacy... must utilize strong encryption, user authentication, message integrity, and support for nonrepudiation as security measures..." He also says that organizations should be able to show that their house is in order, protected against malicious software and people taking PHI with them on things like flash drives.

5. Know yourself. Demanding high standards of third parties means that the organization doing the demanding needs to meet those same requirements. Barrett says that organizations should undertake an internal review or a third party assessment regularly, to identify possible shortcomings and to develop best practices for moving forward. Barrett says that engaging a third party to provide an objective review can have some serious gains beyond just passing an OCR audit. "Organizations that have expertise, references, [and are] nationally recognized provide the credibility that customers and other interested parties and stakeholders" like to see, he says. He points out the values and resources that a third party can bring to a review as well, noting that they often "have the knowledge and expertise to identify gaps and recommend appropriate remediation actions ... because they are aware of the best industry practices and have conducted similar reviews with many other healthcare stakeholders." Barrett notes that there are a lot of these third party organizations, and that with a little "homework and research," one that is nationally recognized and has a cost structure that is workable can be found.