tiero - Fotolia
Security will once again be the focus of many healthcare IT executives in 2015, as a result of high-profile data breaches that hit Sony, Target and eBay. Sophisticated attacks have increased the concerns of IT executives across numerous industries. Fortunately for the healthcare industry, HIPAA audits performed by the Office of Civil Rights (OCR) are serving as encouragement for HIPAA-covered entities to re-evaluate their current security practices.
Assembling an internal security task force is largely the responsibility of an IT department. Another individual or group within an organization should review what the security team has implemented and ensure it meets the requirements established by HIPAA. This setup of checks and balances serves as a method of identifying if and where any gaps exist in a security environment.
The OCR completed a pilot run of HIPAA audits in 2014, during which several healthcare entities were subjected to inquiries from a third party or an OCR -contracted entity, such as KPMG LLP. Not all covered entities passed the audits. This highlights that although many organizations may feel well-prepared for the security requirements and processes mandated by HIPAA, it's possible to fall short of the required safeguards to protect patients' personal health records.
Prepare for an audit
Fortunately, an organization can easily ensure that it is ready for a HIPAA audit or a review of its security compliance. By addressing the following items, an organization can be certain it has taken the appropriate precautions to prepare for an Office of Civil Rights audit and ensure its technological environment is sufficiently protected.
An internal compliance officer should have a deep understanding of all the HIPAA requirements and be aware of potential areas of weakness that HIPAA auditors might be looking for. To help compliance officers with this, several online resources describe each of the different sections of HIPAA.
The first step that should be taken is performing a comprehensive security assessment and risk analysis. These reviews should be based on HIPAA-specific recommendations from the National Institute of Standards and Technology risk assessment guidelines.
All security gaps should be addressed once the evaluation is completed. Some of the more complex problems may require additional employee training, software packages and updated security processes and procedures. All problems and corrective actions must be documented so they can be reported to an auditor.
Include all business associates
Vendors or other external entities that are considered business associates must also be considered part of a healthcare organization's security plan. All linked organizations should be properly identified and have signed a business associate agreement. This will ensure all involved parties are aware of what is mandated by HIPAA. Internal policies such as privacy notices and breach notifications should not be overlooked because they are as critical as the technology aspect.
In addition, an organization must offer its staff adequate HIPAA training during and after the implementation of new technology. These sessions will help individuals within the organization be aware of all that is required of them under HIPAA rules.
A healthcare organization must prepare its team and systems for a HIPAA audit. Doing so will not only protect against data breaches and fines, it will also reduce the risks associated with gaps in internal processes and procedures. The Office of Civil Rights will continue its process of auditing entities throughout 2015 and offer feedback on its findings to inform healthcare organizations in their HIPAA preparations.
About the author:
Reda Chouffani is vice president of development at Biz Technology Solutions Inc., which provides software design, development and deployment services for the healthcare industry. Let us know what you think about the story; email [email protected] or contact @SearchHealthIT on Twitter.
Office of Civil Rights ponders future of HIPAA audits
Healthcare providers adjust to meaningful use, HIPAA
HIPAA penalties mentioned at AHIMA convention