The Office of Civil Rights (OCR) has continued its stringent HIPAA audit process in recent years, with 2018 being a record enforcement year; a strong, A robust security program is the key to avoiding -- or surviving -- an audit.
HIPAA compliance is a pinnacle part of any privacy and security program, despite being written well before the digital age. While many have pointed out the holes in the HIPAA rule and may want to see an update, the regulation is here into the near future and compliance is not optional.
Troy Young, AdvancedMD’s Security Officer and Vice President of Engineering says of a HIPAA compliance program, “It should be considered a mandatory expense like an AC bill or electricity.”
In recent years, the Department of Health and Human Services Office for Civil Rights has made it clear that its enforcement efforts are going strong and will continue to target provider organizations that fail to meet those standards.
What Triggers an Audit?
On the outside, it can appear as if OCR audits happen at random. However, Young explained that the agency lacks the staff to audit an organization without cause. Instead, audits begin after some type of security event.
“Audits are triggered by something: either by a breach that occurs, someone in the practice reporting a violation, or something like that,” Young said. But Young’s research has found there are several primary events that trigger the audit.
Human error is one of the primary categories, which includes items like an employee opening a phishing email, using a weak password, or an employee using the wrong email address when sending PHI.
Another trigger is unpatched software, especially Windows, where many of these malware and ransomware exploits come into play. Insider wrongdoing is another trigger, along with the lack of a business associate agreement.
However, lost or stolen devices are one of the biggest reported offenses, especially if the organization hasn’t ensured all data on the move or at rest is encrypted. Several OCR settlements in 2017 stemmed from a lack of encryption on lost or stolen devices.
The Key Elements of a Compliant Security Program
But just what is OCR looking for when it performs a HIPAA audit? And how can providers be sure they can hold up to the scrutiny? Here are the key elements outlined ONC’s guidance that explain just where organizations should focus to ensure they can survive a HIPAA audit.
Designated Security Officer: Organizations, no matter the size, need someone responsible for all things security. Whether the security leader comes from inside or outside of the organization, there needs to be someone tasked with developing security policies and procedures within the practice, as well as ensuring they’re compliant with HIPAA and documenting whether privacy and security rules are understood by staff. The designated security officer should also be tasked with employee training, from front house staff to clinicians.
Security Risk Analysis: To Young, a security risk analysis is absolutely necessary. If you don’t have one in place or fail to document it, OCR will dock the organization.
Risk Management Plan: The analysis will enable an organization to create a risk management plan. An organization will determine the problem areas and can create an action plan for precisely how they intend to remediate those issues. However, Young said that it’s crucial organizations understand the plan isn’t just a one-time action. Organizations must revisit the analysis and management plan on a yearly basis, to determine whether new risks have been identified and to enhance the risk management plan to address those issues.
Business Associate Agreements: BAAs are a major component to ensuring HIPAA compliance, especially given some of the most recent OCR enforcement actions, Young explained. Providers must ensure they have a BAA in place with any vendor or care partner that handles patient health information.
Routine HIPAA Training: Organizations can solve a lot of problems if staff understands basic principles, such as the right to access their own data. Young said, “If staff understands basic principles, you could avoid the things that trigger an audit in the first place.”
No Excuse for Non-Compliance
Young stressed that having a lack of resources will not be a valid excuse for OCR, when an organization fails to employ these processes. “Unfortunately, that’s the world we live in,” Young said. “For better or worse, HIPAA is there and not being able to afford assistance in meeting the HIPAA privacy and security rule requirements isn’t an excuse.”
For small providers, struggling with their security programs, Young recommends they bring in a third-party with security and compliance expertise. There are a number of HIPAA assessment companies that are solely focused on compliance and can help organizations get on the right track. HIPAAcraticRX can fill this gap for your practice. Learn more about our affordable services and our five-step path to compliance. Read this article in its entirety at HealthITSecurity.