Healthcare Providers are legally and ethically obligated to ensure patient privacy. And with the 2016 OCR audits currently underway, now is the time to ensure your organization is compliant with the requirements and implementation specifications of HIPAA Privacy, Security and Breach Notification Rules. This article will focus on best practices to ensure compliance with the Security Rule.
Based on the type of Covered Entity or Business Associate selected for audit, OCR will identify a subset of audit topics from among the 72 potential Security audit items. Since an organization has no way of knowing which of the 72 topics OCR will select, it is best to be prepared to demonstrate compliance with all 72 topics. Below is a summary of best practices for HIPAA Security that can help you assess your organization’s audit readiness:
- Conduct regular HIPAA Security Risk Assessments. Thorough and accurate security assessments will address all applicable areas of your organization within scope of the 60+ HIPAA Security Rule components.
- Implement an Active Security Plan. A good security plan is a product of a good risk assessment. The plan should clearly state gaps identified in the risk assessment along with assigned resources and projected completion dates. Aside from thorough content, each organization must actively manage the plan and demonstrate that reasonable remediation progress is being made. Note that open remediation items are still potential violations and can produce negative consequences in the event of a HIPAA audit, so move as quickly as possible.
- Evaluate Third Party Agreements. Evaluate the agreements, requirements and practices you have in place with 3rd party IT service providers and other Business Associates. It is critical to confirm that Business Associate agreements are in place, are HIPAA compliant, and are being consistently reviewed.
- Encrypt your EPHI. Encryption prevents sensitive information from being compromised in transit or at rest. It should be noted that in a potential breach event (compromise of privacy or security of PHI), the burden of proof is placed on the organization to systematically prove a low probability that the information was compromised. Simply said, “Guilty unless proven innocent”.
- Conduct Frequent Vulnerability and Penetration Testing. Penetration testing can identify and exploit vulnerabilities in an effort to determine the likelihood of real-world threats against an organization’s IT assets and physical security. Successful testing will simulate the practices and methods of external or internal agents attempting unauthorized data access. Immediately address and correct all security gaps identified in the testing.
- Invest in Employee Security Awareness Training. Employee carelessness, forgetfulness and/or lack of knowledge can create a huge gap in an otherwise secure setting. Make sure your employees understand the mechanics of spam, phishing and malware. Test the success of your training by initiating your own internal phishing expeditions to attempt to solicit information from your employees. Hackers often masquerading as a trustworthy entity, such as an organization’s CEO, to prey on unsuspecting or unknowing employees who they hope are too busy to pay attention to the details.
For more information on the best practices for 2016 OCR audit readiness, download our OCR Audit eBook by clicking on the below link:
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.