Security may not be a sexy project for IT to get excited about -- until something goes wrong. The trick is getting the attention of healthcare IT executives before a data breach happens. At HIMSS 2014, ONC Chief Privacy Officer Joy Pritts provided some tips to stay on track compliance-wise and avoid penalties.
The first and most important item on the list? A security assessment. Then, documentation of the assessment and what your organization is doing to address the risks it uncovers. Pritts offered tips for performing a risk assessment that could help prevent data breaches and make sailing smoother in the event of an unannounced HIPAA audit, which the U.S. Department of Health and Human Services (HHS) is now empowered to do under last year's final HIPAA omnibus rule:
- Forget your facility's size. Factors such as organizational size do not negate the need for a security assessment. HHS makes tools and resources available for all HIPAA-covered entities. Moreover, ONC is working on new tailored guidelines to help smaller independent physician groups complete their assessments, as well.
- Be ready to show OCR your processes and assessment for the auditors: A key step to avoiding penalties and ensuring HIPAA compliance is to document the risk assessment performed in order to evaluate threats to personal health information (PHI) managed by the organization. "When OCR [HHS Office of Civil Rights] shows up at your doorstep," Pritts said, "show them you have thought about your security and have done your assessment."
- Re-evaluate every time your organization changes: Frequently refresh your assessment to ensure that when your organization encounters internal changes -- such as system upgrades, new tools or new staff -- you can identify if a reassessment must be performed. Pritts emphasized this several times as a necessary process healthcare organizations must perform to protect PHI and stay up to date.
- Look for qualified resources to help with your risk assessment: It would be ideal to have a certified security expert on staff to monitor systems, such as firewalls, HIPAA audit logs, and servers, as well as EHR systems. However, in the case where these resources may not be assigned to a staff member, the organization must work with an appropriate vendor that offers the expertise and experience to deliver a comprehensive risk assessment that meets the criteria outlined by the OCR and HIPAA ruling.
- Avoid the myths of vendor and consultant HIPAA-compliance claims: While some vendors may provide tools that help a healthcare organization's quest for HIPAA compliance, no vendor can claim its product or service itself is "HIPAA-compliant." Healthcare providers, not products or services, comply with HIPAA. Small physician offices especially may come in contact with vendors claiming compliant tools. Pritts warned of statements such as, "Buy my product and you will be HIPAA-security-compliant." She made it clear that the ONC is concerned with how small practices may need to avoid false claims by vendors, particularly those providing technologies that do not address processes and employee training required to enable HIPAA compliance.
Security of health records should not be limited to technical resources to ensure compliance. It's an organizational effort in which each member of the group must participate. Engaging the staff to secure patient information as part of their daily routine will help ensure HIPAA compliance. In turn, the organization minimizes the risks of data breaches, legal and public relations nightmares, and of failing an unannounced HIPAA audit.
About the author:
Reda Chouffani is vice president of development with Biz Technology Solutions Inc., which provides software design, development and deployment services for the healthcare industry. Let us know what you think about the story; email firstname.lastname@example.org or contact @SearchHealthIT on Twitter.