In the wake of healthcare data breaches, OCR audits for HIPAA compliance have become more common – and the consequences have been more highly publicized. But many healthcare providers still don’t know how to prepare effectively for an audit.
These organizations will be in a bind when random audit season arrives. Providers that might have passed with minimal effort can face serious penalties if they haven’t prepared.
How can affected organizations prepare more effectively? The first step is to sort fact from fiction.
Busting the myths
First order of business to thoroughly prepare for OCR audits is to get your organization to understand the urgency of the task. This sense develops quickly with the sorting of realities versus wishful thinking about HIPAA compliance, including:
We’re too small to be audited. The upcoming OCR audits will cover organizations large and small, and there’s no such thing as “too small to be audited.” Small practices are being audited – and hit with significant fines after breaches.
Our security is strong enough – we’ll be fine. A provider may have relatively strong security, but unless they’ve carefully and comprehensively reviewed HIPAA compliance requirements, that doesn’t mean they’re ready for an audit. Full compliance requires specific forms of documentation, log monitoring, and training. Just as there’s no such thing as “too small” and “good enough.” What matters is that an organization is in compliance.
We’ve never experienced a breach, so our current security controls are sufficient. As with the last myth, a history of successful security isn’t the same as proper compliance. It’s also possible that what seems to be a history of success masks many undetected breaches. Finally, even if a network has truly never been breached, new bugs, attacks, and vulnerabilities are emerging constantly, and there’s a first time for everything. Getting in compliance with HIPAA requirements helps an organization avoid both penalties and breaches.
Getting in compliance
Once a team understands the realities and the urgency of getting in compliance, there are several steps they can take to improve readiness. We’ve identified some key topics to consider and tips to help businesses ready themselves for an audit. Beyond a comprehensive Risk Assessment, which is a given, place emphasis on these areas:
1. Asset management
Organizations should have a thorough of inventory of all sensitive data in their possession. For those that do not have such an inventory, this should be the first step they take to assess their readiness for OCR audits.
In order to ensure that one has taken the proper security measures, it’s important to understand the full scope of the data that must be covered.
2. Vendor management
Vendors who connect to a provider’s network are also subject to HIPAA compliance rules. In order to fully assess their own readiness, organizations should identify and contact all relevant vendors to confirm that they are in compliance.
Under HIPAA rules, the simple presence of security infrastructure like a firewall isn’t enough – security logs must be continuously monitored to search for signs of irregularities. “Reactive” monitoring – looking at your security situation only after a breach – is insufficient. Providers and other organizations must be proactive.
For most healthcare organizations, the best way to accomplish this will be either a dedicated in-house security team or a third-party managed security monitoring service. Either of these approaches will put expert human eyes on a network at all times, and identify red flags as soon as they arise. Potential breaches could even be prevented before they occur.
The proliferation of mobile devices that store or access sensitive data combines with breach notification rules to create a difficult situation for organizations – the simple loss of an unencrypted device or digital media may trigger a legally mandated report. Prior to an audit, organizations should review their encryption policies to ensure that they are comprehensive. Additionally, providers are strongly advised to encrypt mobile devices and portable media.
It is important to note that the HIPAA breach notification rules contain a “safe harbor” exemption for properly encrypted data on mobile devices or media. Here’s how it works: If a lost device can be shown to have utilized authorized encryption techniques, a provider will not have to report the incident as a breach. So, it is a good idea for organizations to evaluate their encryption, and confirm it is up-to-date.
As an additional security control, it is advisable for organizations to utilize remote-wipe functionality on mobile devices so that, from a distance, sensitive data may be deleted the moment a device is lost or stolen.
For healthcare providers and other organizations facing the prospect of OCR audits, it’s essential to recognize the serious possibility (and potential consequences) of an audit, and take informed steps to prepare as effectively as possible.
In addition to the measures above, seeking a risk assessment from third-party security experts is an advisable way to ensure that you’ve covered your bases and that your security strategy is in line with current HIPAA requirements. Organizations that do so not only protect themselves comprehensively, but also help create a high level of safety for their consumer and community healthcare environments.