[BreachExchange] Don’t Fear a HIPAA Audit—Fear Being Uninformed

Audrey McNeil audrey at riskbasedsecurity.com
Wed Aug 17 20:28:29 EDT 2016


http://dentistrytoday.com/news/todays-dental-news/item/
1176-don-t-fear-a-hipaa-audit-fear-being-uninformed

Your healthcare records are under attack. It seems like we read about
another data breach or ransomware attack every day. In 2015, the protected
health information of more than 100 million patient records was
compromised. This is why the federal Department of Health and Human
Services (HHS) recently announced random Health Insurance Portability and
Accountability Act (HIPAA) audits for covered entities and their business
associates. HHS is using the same strategy that creates fear of an Internal
Revenue Service audit to mobilize healthcare professionals to take action.

Here’s the thing: If the fear of an audit is not enough to cause you to
take action, the fear of a data breach or ransomware attack should. You
must protect your most valuable asset—your patients’ private information.
If you focus on your key vulnerabilities to secure protected health
information (PHI), a random audit won’t matter, because you’ll be well on
your way to HIPAA compliance. However, if you do nothing, you exponentially
accelerate reputational and financial risk.

Focus on protection, not avoiding penalties.

An audit is only a regulatory method of policing something that regulators
feel is critical. In the case of HIPAA, HHS announced random audits because
too many covered entities and business associates aren’t holding up their
ends of the bargain. Audits are simply the quickest way to inspire action.
But with so much emphasis placed on the policing of HIPAA compliance, it’s
easy to forget that the point of such regulation is to protect practices,
not penalize them.

Be proactive, and evaluate your risks.

Instead of fearing audit repercussions, ask yourself, “In the absence of an
audit, would I still understand where my practice is most vulnerable?” If
you don’t know your vulnerabilities, how can you protect against them? With
the speed at which technology is accelerating, anything that can go wrong
eventually will.

The best way to understand where you’re vulnerable is to take a risk
assessment. They’re especially helpful for small to mid-sized offices that
just don’t know where to start. Hire a professional to help you get
started. Attempting to navigate HIPAA alone and uncovering where your
practice may be most vulnerable is like trying to do your own taxes; it’s
most likely not the best use of your time.

Start with your IT and administrative personnel. They’ll help make sense of
the requirements and how your practice can most effectively meet them. They
can begin by reviewing the basics at hhs.gov, although I’d also recommend
partnering with a HIPAA professional to build a team that can quickly
uncover where your practice might be most vulnerable. The idea that your IT
department and office manager has HIPAA and patient data protection
completely covered is a common and dangerous misconception.

Understand your key vulnerabilities.

Here are key areas where we see most small to mid-sized practices fall
short:

A lack of updated policies, procedures, and business associate agreements;
No documentation or plan to train employees on the importance of security
and privacy;
Not using proper encryption for backing up and emailing protected health
information;
No proactive emergency and incident response planning;
No experience of testing the restoration of PHI in case of an incident;
No Payment Card Industry (PCI) certification on file, leading to
unnecessary fees;
No asset protection or clear understanding of steps to take in the event of
a data breach.By being proactive and taking steps to assess your practice’s
security measures (through a risk assessment), you can quickly identify
potential risks and mitigate them. In fact, risk mitigation is the entire
philosophy behind HIPAA compliance and the security of PHI.

By being proactive and taking steps to assess your practice’s security
measures (through a risk assessment), you can quickly identify potential
risks and mitigate them. In fact, risk mitigation is the entire philosophy
behind HIPAA compliance and the security of PHI.

The trick is to protect your practice without draining all your profits in
the process. You are running a small business, after all. You don’t want to
spend all your time and money trying to guarantee a completely risk-free
environment. That isn’t practical. However, finding the right balance
between mitigating risk and resource allocation is.

Yes, there is a chance to be randomly selected by HIPAA for a compliance
audit. But more importantly, you should be taking proactive steps to secure
PHI and mitigate key vulnerabilities—not because of an audit fear, but
because it’s the right thing to do for you, your employees, and your
patients. I don’t fear an IRS audit, and yet, inevitably, I file my taxes
every year.

The first step for both you and your patients’ benefit is to take an
assessment of your vulnerabilities. It’s easy to get started. You can begin
here: HIPAA Risk Assessment (http://ra.officesafe.com/#/123/hipaarisk).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160817/a9fe0640/attachment.html>


More information about the BreachExchange mailing list