alphaspirit - Fotolia
Meanwhile, it is imperative for healthcare providers to prepare for the new round of HIPAA audits expected soon from the U.S. Department of Health and Human Services' Office for Civil Rights (OCR).These distinct yet interwoven themes emerged at the 2015 American Health Information Management Association (AHIMA) Convention and Exhibit from two experts who delivered how-to tips to health information managers and other attendees.
Rob Rhodes, a former healthcare industry CIO turned health data privacy consultant, used an analogy involving the ancient Greek Spartans. The warrior nation was undone by one of their own, Ephialtes, who betrayed the Spartans and helped a Persian army destroy them.
"They didn't protect against the insider threat," said Rhodes, vice president of application software at Iatric Systems Inc. in Uxbridge, Mass., a health IT systems integrator. "They didn't think it would happen."
PHI security audit prep is key
In a separate AHIMA session, David Holtzman, former OCR health IT and HIPAA security rule senior advisor, said healthcare organizations -- and other covered entities under HIPAA, including business associates -- should focus on one thing to ready for audits from OCR and other federal agencies.
"Practice," said Holtzman, now vice president of compliance at Austin, Texas-based health data privacy and security consulting firm CynergisTek Inc. "It's putting your documents together and going through the list."
For HIPAA audits, the list includes: policies and procedures for security and risk management processes; security responsibility; workforce security; and employee termination procedures.
While OCR appears ready to launch formal HIPAA audits, Holtzman noted that CMS has also been doing its own meaningful use audits, though he asserted the meaningful use program is somewhat "in disarray."
Even so, CMS has conducted about 17,500 such audits a year and made providers that fail those inspections pay back federal incentive money.
"Organizations that had problems in prior audits or whose data is not in good shape … seem more likely to be audited," Holtzman said.
Designate central contact for CMS audits
The CMS audits, designed to confirm whether healthcare providers meet measures of meaningful use for EHR incentive payments, also gauge whether providers have done a PHI security risk assessment that is based on the HIPAA Security Rule. That assessment of the potential of PHI to be stolen, looked at improperly, or lost is also a major part of HIPAA audits.
Here's a key audit tip Holtzman left his audience with: Coordinate who is the designated contact to whom audit notices should be forwarded, especially in large organizations that have many eligible providers.
That step is necessary because when the contractor that CMS uses to do audits, New York law firm Figliozzi & Company Inc., emails providers notifications of upcoming audits, individual doctors who get them may not realize they are about to be audited, and so do nothing to prepare.
"It's very important to educate your providers that the name Figliozzi should strike fear and that those communications should be routed to the appropriate folks," Holtzman said.
Providers neglect insider threat
As for the insider threat to PHI security, Rhodes said many providers are like the Spartans.
"We fail to accurately assess the risk of an insider," he said.
While many insiders -- that is, healthcare organization employees who snoop at the health records of celebrities, co-workers, family members or even themselves -- are not motivated by money as was the Spartan traitor, Ephialtes, such unauthorized views are illegal, Rhodes noted.
"Many times they get caught, but the problem is big," he said.
With the explosion of health data in EHRs and medical image repositories, these incursions have become commonplace, but are far from always harmless, Rhodes said.
Often, an easily accessible health record is the way into financial data; disgruntled insiders can steal health information for retribution or financial gain.
Patients want health data security
More and more, patients are demanding better security for their PHI and are taking their healthcare business to providers that protect the data better, Rhodes said.
"Those who ignore this are really putting their organizations at risk," he said.
Dealing with the insider threat is about "people, procedures, technology and culture," Rhodes added.
That approach means training, education and more background checks of current and prospective employees. It also means disciplinary measures for policy violators.
Before organizations resort to punishment, they should make sure all employees know the new rules.
"Educate," Rhodes said. "Otherwise people will be unhappy."
Indiana care group made $750,000 HIPAA violation settlement
Wearable health technology's association with HIPAA
Providers commit resources to health data security, cyberattack prevention
OCR officials pick where to conduct HIPAA audits