|Articles|November 21, 2018
Make Sure You're HIPAA Compliant Before You Have to Prove It
8 ways healthcare leaders can prepare for a HIPAA compliance audit.
Advertisement
HIPAA compliance is critical for all healthcare stakeholders. Image has been altered. Licensed from vege - stock.adobe.com.
Phase 2 of the Office of Civil Rights (OCR) Health Insurance Portability and Accountability (HIPAA) Audit Program gives healthcare providers 10 days to prepare. Phase 3’s on-site audits give you no time to prepare; auditors show up without warning to review how well you are complying with HIPAA policies and practices. And even if you aren’t chosen for a random HIPAA audit, you can still face penalties for noncompliance if you experience a patient complaint or a breach.
>>
Taking the opportunity to proactively strengthen your privacy and compliance program will help you maintain control of your patient data and avoid compliance headaches that are costly and time-consuming. In other words, the best time to prepare for an audit is before you’re in one.
Phases of HIPAA Compliance
For Phase 2 of the Audit Program, both covered entities and business associates had to meet selected standards and implementation specifications under HIPAA’s
Because the data security landscape has become so complex and fluid, compliance regulations will become more stringent. But rather than dreading an OCR audit, care providers can approach the prospect of an audit as a foundation for making the best choices when adopting new tools, technologies, personnel and workflows.
Typical HIPAA Issues to Look For
HIPAA defines a breach as the acquisition, access, use or disclosure of unsecured protected health information (PHI) in a manner not permitted by HIPAA. This activity must pose a significant risk of harm to the affected individual, whether it’s financial, reputational or other damages. Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals if unsecured PHI is breached.
The HIPAA violations that result in the largest fines are:
- Third-party disclosure of PHI
- Improper disposal of PHI
- Mishandling of medical records
- Employees disclosing information
- Database breaches
- Lost or stolen devices
- Failure to perform an organization-wide risk analysis
- Employees legally accessing patient files
- Lack of training
- Failure to encrypt PHI on portable devices
These are just the violations that cost the most. In addition, many other events can result in a HIPAA violation or breach, and therefore fines and settlements — including drug diversion, cybersecurity attacks, insider threats, fraud and identity theft.
Typical HIPAA Violations
HIPAA audits have both a bark and a bite. Since the regulation went into effect in 2003, the OCR has discovered 56 Privacy Rule violations and handed out close to $100 million in fines. And as of 2018, the OCR has received more than
The compliance issues most often investigated by the OCR are, in order of frequency:
- Impermissible uses and disclosures of PHI
- Lack of PHI safeguards
- Lack of PHI patient access
- Lack of administrative safeguards of ePHI
- Use or disclosure of more than the minimum necessary PHI
The covered entities that most often violate HIPAA are general hospitals, health plans, outpatient facilities, private practices and physicians, and pharmacies. More than 37,670 complaints were investigated by the HHS as of July 2018, 69 percent of which have received corrective action.
>>
Ready at Any Moment
You may receive an audit letter — or auditors may just show up at your doorstep one day. Either way, if you’re following HIPAA’s requirements, there is no need to worry. Below are eight recommendations for staying proactively prepared for an OCR audit.
1. Monitor PHI to Protect It
HIPAA stipulates that covered entities and business associates must ensure the confidentiality, integrity and availability of all electronic PHI (ePHI). In addition, electronic systems holding ePHI must allow access to those persons who have been granted access rights.
A best practice is to monitor all systems holding ePHI, including electronic health records (EHRs), cloud applications and mobile devices. By monitoring with a full lifecycle platform, they can detect, investigate, mitigate and remediate inappropriate activity to address incidents. This can also help organizations identify employees who need training, sanctioning or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.
2. Identify High-Risk Assets
Covered entities must make the necessary policies and procedures for a privacy and compliance program that adheres to the final Breach Notification Rule. To do so, identify your high-risk assets and ensure that your risk analysis of these assets is current. These should include both technical and non-technical assets that are business-critical.
3. Implement HIPAA Compliance Policies and Procedures
Data are highly valuable to the good guys and the bad guys alike — even if the “bad” guys are well-meaning but uninformed employees. Unless there are proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy. Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries and made expectations and standards transparent.
4. Do a Risk Assessment
You are required to conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether you need to report a PHI breach. The Office of the National Coordinator for Health Technology (ONC) and the OCR recently updated their
>>
5. Deploy Identity Correlation
Organizations can improve compliance by implementing identity correlation technology in their EHRs and cloud applications. This is important, as FairWarning sampled 1 million users of EHRs and cloud applications and found that 26 percent were poorly known or unknown to the care provider. This means that these users are unable to be monitored and audited, making it difficult to train or sanction them in the event of a HIPAA violation.
6. Continue Employee Training
7. Keep Business Associate Agreements
Covered entities and vendors are both required to create, receive and transmit PHI in a secure and intended manner. Therefore, it is a critical best practice to enter into business associate agreements (BAAs) with any vendors handling PHI. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.
8. Develop an IRP
An incident response plan (IRP) helps your organization contain security incidents that would otherwise become breaches requiring regulatory involvement. The
Moving Forward
When you have policies and procedures in place to remain compliant, an OCR audit won’t strike fear into your heart. You’ll have confidence knowing you’ve done everything necessary to keep your data and that of your patients private and secure. You’ll also be laying the groundwork that will keep you prepared for new regulations and new technology.
Shane Whitlatch works with
Get the best insights in healthcare analytics
Related
Newsletter
Advertisement
Related Content
Advertisement
Latest CME
Advertisement
Advertisement
