So your company was just notified that they will be audited for HIPAA compliance. That’s not surprising, considering that the Office of Civil Rights (OCR) has a “wall of shame” comprised of more than 1,000 data breaches, with at least 34 occurring in the month of June alone. To ensure that privacy standards are being met by healthcare organizations regarding protected health information (PHI), the U.S. Department of Health and Human Services (HHS) conducts periodic audits. Any covered entity (CE) and business associate can be audited at any time. Following are some key steps to take to successfully prepare for a HIPAA Compliance Audit.
1) Perform a HIPAA compliance self-audit in advance
Think of it as a test-run to ensure all the necessary security procedures are in place. This is also a good opportunity to educate employees on HIPAA compliance regulations. Start by doing a quick GAP assessment based on the HIPAA OCR Audit Protocol. This is a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. Once you understand gaps, formulate a plan for addressing them.
After you’ve completed a GAP analysis, you may wish to engage an outside company who is experienced in the nuances of HIPAA compliance to conduct follow-up audit to ensure a comprehensive assessment. This internal assessment will help you proactively manage your organization’s risk against violations and help position it as a compliant-focused company with your customers.
Finally, make sure your hosting provider has a comprehensive, measurable security environment that has been assessed against HIPAA compliance regulations. View our on-demand webinar, Assessing Your Hosting Environment for HIPAA Compliance to learn more.
2) Document a disaster recovery plan
Many organizations view HIPAA compliance as a security solution and don’t consider the importance of availability. HIPAA compliance demands that PHI is accessible during normal business operating circumstances as well as in an emergency. “Availability is an often overlooked requirement of the HIPAA Security Rule,” says Daniel W. Berger, President and CEO of Redspin, Inc. Security is in fact defined as ‘CIA’ – confidentiality, integrity and availability. It is one of the most frequent findings in a HIPAA Audit.” Make sure you’re working with an IT solutions provider that offers always on availability in their core infrastructure as well as solid failover solutions from their central location to remote sites.
3) Mandate adherence of basic security measures
In the course of day-to-day operations and deadlines, basic security measures can easily slip through the cracks. Have your IT team conduct a security audit every quarter to ensure that all employee computers and mobile devices (company-issued or BYOD) have the latest version of antivirus software installed on them. Also consider installing wiping software that can remotely delete company information from a laptop or mobile device in the event it is lost or stolen.
Installing login retry protection will also help reduce the chances of an unauthorized person accessing a company computer. However, hackers are becoming more sophisticated, so periodically train your employees on how to spot and report malicious email. Also review and update your policies for disposing information assets – whether digital or physical.
If your company is still storing protected health information (PHI) in multiple devices on locally run software, your exposure to threats increases. Consider implementing a SaaS platform in which data resides in highly secure, controlled hosting environment that is completely auditable. With SaaS platforms, data only leaves transiently when accessed by the user.
4) Encrypt everything
Encrypting sensitive data on servers is a no-brainer – and only part of the compliance equation. Although not required by HIPAA, consider encrypting data while stored in the database, and especially during transmission. Have your IT team install encryption software on all desktops, laptops, mobile devices and mobile storage media. And train employees and contractors on how to use it. Finally, have IT conduct random checks to ensure the encryption software is being used properly. Below are additional encryption activities to consider.
o Content such as images or scans should be encrypted and contain no personally identifying information.
o Don’t use public FTP – use an alternative method to move files.
o Only use VPN access for remote access.
o Passwords are not enough. Use a multi-factor solution such as a RSA token to avoid unauthorized access.
5) Properly secure your paper files
Organizations often ignore the security of their paper files. Keep in mind that HIPAA compliance audits encompass both digital and physical data assets, so ensure all your paper files are properly stored and locked. Paper records that are past their required storage date should be digitally stored and properly destroyed. Document every step in this process to ensure that it complies with HHS.
6) Develop and implement comprehensive training policies
One of the biggest stumbling blocks that organizations run into during a HIPAA audit is not having policies in place to establish how confidential information should be handled. Many resource-constrained companies also don’t implement proper training to educate employees about these policies and procedures. Achieving and maintaining HIPAA compliance requires commitment from your employees. Handing them a training manual isn’t going to cut it. In addition to training your employees on company policies, make sure they are well-versed in issues such as Internet safety, spear-phishing emails, creating and using strong passwords, and other security policies that are relevant to your business.
For more information on how to prepare for a HIPAA compliance audit, download our HIPAA Compliance Guide.