[BreachExchange] Are you making HIPAA compliance a priority in your practice?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Sep 13 19:19:27 EDT 2016


https://www.chiroeco.com/hipaa-compliance-priority/

In late 2015, the U.S. Department of Health and Human Services (HHS) called
for the Office for Civil Rights (OCR) to strengthen enforcement efforts of
compliance standards, including compliance with HIPAA Privacy and HIPAA
Security guidelines.

This request came after the release of healthcare compliance- related
studies, which demonstrated significant vulnerability to patients,
providers, and practices.1

The studies revealed reasons to be increasingly concerned about patient
privacy, such as inappropriate access to or disclosure of protected
information, data breaches, exposure to fraud, identity theft, medical
record theft, and other harmful occurrences.

These issues also pose significant risk to practices in the form of damaged
practice and patient relationships, investigations, and audits as well as
costly penalties.

The many conveniences that come with technology also come with
responsibilities to healthcare facilities. Though patient privacy has long
been an important topic in healthcare, a lack of enforcement has largely
left this crucial element on the back burner in many practices.

Furthermore, advancements in technology have also compounded risk and
vulnerability, making compliance a priority.

Limited risk

In the past, the patient privacy risks mentioned above were pretty much
limited to the possibility of a person walking into a practice and taking
off with patient files. Risk, in that case, was limited to the number of
patient records a person could carry out the door. Therefore, basic opening
and closing procedures together with a responsible workforce were
sufficient protections.

While there were other risks to consider, such as claims being mailed out
to the wrong payer, in general the risks and the potential impact to a
large group of patients were minimal.

Changing times

Now businesses are operating in a world where masses of protected health
information (PHI) are created, maintained, stored, and transmitted
electronically. This extends beyond EHR software and includes scanning,
email, electronic claims transmission, backup and storage, portable devices
(e.g., smartphones and tablets), instant messaging, and social media.

Access is no longer limited to someone being physically on site to carry
information off, but can now occur from just about anywhere, from
mishandlings inside a practice to cybercriminals outside the U.S. Also, the
number of patients at risk of unauthorized exposure could potentially
include your entire patient database.

New priorities

As mentioned, the OCR has the urgent task of ensuring that compliance is a
priority for healthcare providers. In their assessment, the reason
compliance is not a foremost concern in many healthcare facilities is
partly because enforcement efforts by investigative organizations have been
lacking.

To resolve this gap, the OCR has teamed with more agencies and implemented
protocols that allow them to conduct more investigations, quickly respond
to potential reports or findings of non-compliance, and sharpen the sting
to noncompliant covered entities with fines and other types of penalties.

The OCR is highly motivated to make this a priority, not only to preserve
the integrity of PHI but also to collect millions of dollars each year from
penalties assessed for noncompliance.

Some of the steps the OCR is taking to improve oversight of covered
entities include:

Fully implementing the permanent HIPAA audit program,
Developing a more efficient method to search for and track covered
entities, and
Expanding outreach and education efforts, including targeting the
healthcare industry.

The OCR has been proactive in its approach and successful due to covered
entities (from all medical specialties) lagging in appropriate training,
implementation, and evaluation of customized compliance plans. Current
investigations are focused on many areas, including:

Confirm the covered entity has recently completed a comprehensive Security
Risk Assessment.
Confirm action items identified within the Security Risk Assessment have
been completed or are on a reasonable timeline to completion.
If the organization has not implemented any of the addressable security
standards, confirm within the organization policies and procedures why the
addressable implementation standard was not reasonable and appropriate, and
what alternative security measures were implemented.
Ensure the organization has implemented an appropriate breach notification
policy that meets standards.
Ensure healthcare providers have implemented the Notice of Privacy
Practices per the methods required by HIPAA privacy regulations.
Verify healthcare providers have appropriately implemented policies and
procedures to preserve the integrity of PHI (both electronic and
otherwise), including internal workforce PHI communications.
Confirm appropriate training has been performed and appropriately logged.
Confirm that appropriate policies and procedures for security safeguards
are in place per the administrative, physical, and technical safeguard
guidelines.
Confirm appropriate inventory and inventory security logs are completed, up
to date, and meet requirements.
Confirm appropriate backup systems, disaster recovery plans, and other
activity monitoring plans are in place.

Practices must understand the risks they are taking if compliance is not a
priority. Again, the risks to your patients and your practice can have a
costly and stressful ripple effect. Although implementing a compliance
program may seem daunting at first, once in place you’ll find maintaining
it is straightforward, and it will be more cost effective than the
alternative.

Obtain support and guidance if needed to develop and maintain a compliance
program and be a proactive participant in compliance plan development.
Purchasing a prepackaged binder with the intent of customizing it is
unlikely to suffice for most practices, and can be damaging in the event of
an audit.

There are many software and training options out there that can help you
navigate the complexities of HIPAA compliance. Heed the warnings and ensure
compliance in your practice.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160913/b3361d11/attachment.html>


More information about the BreachExchange mailing list