[BreachExchange] Ensuring HIPAA Compliance Before a Potential HIPAA Audit

[Audrey McNeil]

http://healthitsecurity.com/news/ensuring-hipaa-compliance-before-a-potential-hipaa-audit

Businesses and healthcare providers are facing increasing pressure to meet
and maintain HIPAA compliance standards. The Office for Civil Rights (OCR)
announced it will be performing a new round of random audits throughout
2016.

Before 2016, 98 percent of the OCR’s closed privacy cases were a result of
complaints. In this second phase of audits the OCR is making an effort to
take action on the recent findings by the U.S. Office of Inspector General.

The report claimed that the OCR had not implemented sufficient measures to
ensure covered entities were abiding by HIPAA privacy standards. The OCR
plans to take a proactive approach to enforcing HIPAA policies and its
second series of audits will encompass a wider range of organizations.

What’s the fuss?

For businesses, the primary concern revolves around changes specified in
the 2013 Final HIPAA Omnibus Rule. While these modifications have been
legally in place for three years, there has been little effort on behalf of
the OCR to enforce these standards.

The most significant change included in the amendment is the restructured
responsibilities of covered entities and their business associates. Whereas
before, the liability for HIPAA violations fell on the shoulders of the
healthcare provider, now business associates are subject to the same fines
and penalties as the practice with which they’re engaged. This means
business associates must perform annual security reviews, hold regular
employee training sessions, and implement a remediation plan if needed to
address any security holes within the organization’s network.

To clarify, a covered entity is any healthcare provider, healthcare
clearinghouse, or health plan that electronically transmits private health
information. A business associate is any person or organization that
produces, stores, receives, or transmits PHI for the covered entity with
which they’re associated.

However, in some states, the definition of a covered entity has been
expanded and organizations should check with their legal counsel or a state
trade association to learn more about state-specific regulations. The 2016
audits will be random and the OCR has yet to specify how many audits will
occur. While it’s not likely an organization will experience a random
audit, the HIPAA privacy and security policies should be strictly adhered
to and evaluated to prevent the costly legal and financial penalties that
can accompany a data breach.

What will a HIPAA compliance audit entail?

The OCR plans to complete three phases of audits throughout 2016. The first
stage will involve desk audits of covered entities, and the second will be
of business associates. These evaluations will examine the organization’s
compliance with HIPAA’s privacy, security, and breach notification rules.

The third round will occur onsite and will evaluate a wider range of HIPAA
compliance requirements. For desk audits, the OCR will request a number of
documents that must be delivered within 10 business days and may require
the organization provide documentation up to six years prior to the audit.
Requested items can include records of security reviews, remediation plans,
policies, processes, employee training logs, and any additional information
that correlates with HIPAA compliance standards.

Audits will review everything from patient PHI privacy requests, to use and
disclosure of PHI, to changes of PHI, to physical, technical and
administrative safeguards to ensure an organization is HIPAA compliant.

How can a business associate make sure it’s HIPAA compliant?

It’s necessary that an organization has the right processes, policies, and
documents in place at all times. Auditors often find businesses lack
adequate security reviews, remediation plans, and employee training
programs when they are evaluated. These deficiencies can cause significant
costs from both the fines and legal penalties associated with a breach, as
well as the time, effort, and money involved in the remediation of these
mistakes.

For example, on June 30, 2016, the OCR announced that the Catholic Health
Care Services of the Archdiocese of Philadelphia (CHCS) experienced a data
breach that occurred from an employee’s stolen iPhone in February 2014.

The breach affected 412 individuals and cost the organization $650,000 in
fines and penalties. The employee’s device held an abundance of sensitive
information and was left unencrypted and without a password protection code
in place.

In addition, OCR found the business did not perform a security review, have
an established risk management plan or security breach response strategy,
and had not implemented a BYOD policy prior to the incident. The lack of
planning and preparation by CHCS left the organization vulnerable to attack
and with a lofty corrective action plan to fulfill.

Any organization bound by HIPAA standards should ask itself the following
questions to determine its adherence to compliance regulations:

Does my business have written policies and protocols in place to address
HIPAA standards?
Is my business performing and documenting regular risk assessments?
Does my business have an established data security policy?
Does my business have a BYOD security and use policy?
Are the business associates affiliated with my organization HIPAA compliant?
Does my business have an effective incident response plan to handle a
breach if it occurs?
Are my employees required to complete regular HIPAA training programs?

HIPAA compliance regulations affect a number of organizations and it's
important businesses understand their specific responsibilities.

Businesses can either engage a managed IT services provider to help
navigate HIPAA compliance laws, or manage and implement standards
independently using the pool of resources made available by the OCR.
Whichever you decide, just do it!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160712/1d7b61bc/attachment.html>