TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Archives for June 2015

Are You Ready? 10 Questions that will Test Your Readiness for a HIPAA Audit.

by Leave a Comment 

3d white man with the combination lock and checklist. Isolated render on a white backgroundThe Office for Civil Rights (OCR) announced recently that Phase 2 of the HIPAA audits have begun.  The first round of pre-audit surveys have been delivered to both covered entities and business associates.  If you are not in the first round of the audits, don’t breathe a sigh of relief as it is only the first round and definitely will not be the last.  Based on the recent increase in the data breaches, the OCR is definitely going to identify new risks and vulnerabilities.  The HIPAA audits are causing fear and concern among healthcare organizations.  Now is the time to evaluate your current level of compliance to ensure that you have clearly established policies and procedures, and are following them as defined.  Remember: Documentation is one of the keys to success with HIPAA! 
Take this short quiz to test your readiness for a HIPAA Audit:
  1. Do you currently know and/or have a list of all systems that stores, maintains, or transmits protected health information within your organization?
  2. Has your organization completed a HIPAA Risk Analysis within the last 2 years and do you have your Risk Analysis Report and Risk Mitigation Plan clearly documented?
  3. Has your organization evaluated and updated your policies and procedures since the final HIPAA Omnibus Rule (HITECH) was published in 2013?
  4. Do you have a clearly established process for identification of business associates and have current business associate agreements signed and on file?
  5. Do you have a documented process for your breach investigation within your organization?
  6. Do you have a process for maintaining burden of proof (administrative Breach Notification Requirement) for all investigated breaches (confirmed or not)?
  7. Do you currently conduct Information System Activity Review and Log-in Monitoring in the exact manner defined by your policies and procedures?
  8. Could you produce documentation to support the information system activity review and log-in monitoring, if requested?
  9. Have you conducted HIPAA training to your workforce members within the past year? Do you have documentation to support the training that was conducted?
  10. Do you have a detail process for access management (adding users, modifying users, terminating users) in all systems that store, maintain, or transmit PHI?
If you answered NO to ANY of the above questions, your organization may not be properly prepared in the event that a HIPAA audits comes your way.  The good news – you have time to fix it!  Start now – don’t wait!  HIPAA compliance doesn’t have to be a barrier to providing good patient care and customer service.  If you take the time and operationalize HIPAA to meet your organization’s needs, you can have a successful HIPAA compliance program without impacting patient care and customer service.  In fact, you may just enhance patient care and customer service with a complete HIPAA compliance program. 
If you need help getting ready for a HIPAA audit or need assistance with analyzing your current level of compliance, don’t be afraid to reach out for help!  Check out the list of TriPoint Healthcare Solutions’ Services to help you with HIPAA Compliance!!
Danika

Disclaimer: The above questions are not intended to be a complete evaluation of HIPAA compliance or to determine if completely prepared for a HIPAA audit.  It is a tool to evaluate if your organization needs to spend more time focusing on HIPAA compliance to prepare in the event of an audit.  It is recommended to be used a simple evaluation to determine if you have concerns regarding your current compliance level with HIPAA.  It is not considered legal advice or complete compliance evaluation. 

Data Breach: It WILL NEVER Happen to Our Organization

by Leave a Comment

You choose your path: Be Prepared OR Be Scared.

Privacy security or safeguard diagram or flowchart written on a dry erase board as tips, advice or information on making your personal, sensitive data safe and secure

How many times have you heard an organization say “A data breach will never happen here,” “We are too small for a data breach to happen,” “It only happens to hospitals and insurance companies.”  The thought that a data breach will never happen to your organization can be your biggest mistake in the preparation and defense in the event that a data breach does occur.  If you asked all the organizations who have experienced a HIPAA data breach in the past 12 months, many of them would agree that they never believed that something like that could happen.

Healthcare covered entities and business associates need to plan and be prepared in the event a potential data breach does occur.  Policies, procedures, and processes should be established that can be immediately activated in the event that a potential breach occurs and needs to be stopped, investigated, and mitigated. 

Looking over the past week, we see data breaches are occurring at all types of healthcare facilities and for a variety of reasons.

  • Buffalo Heart Group, 500 to 600 impacted – Third Party working under a physician access information outside of the scope of the work to solicit patients with the movement of a physician to a new practice
  • Unity Recovery Group, Inc., Fewer than 1,000 impacted – improper disclosures of patient information to unaffiliated recovery services
  • New Jersey Medical Center, 1,400 Impacted – An e-mail with an spreadsheet meant for internal use was sent to an incorrect recipient
  • Beacon Health, unknown impacted – Victim to a sophisticated phishing attached that caused unauthorized access to e-mails with PHI
  • University of Rochester Medical Group, 3,400 Impacted – Former Nurse Practitioner took patient’s personal information with her when she left for another organization
  • HHC Jacobi Medical Center, 90,000 impacted – Improper access and transmission of files containing PHI to personal email account
  • Associated Dentists– theft of a laptop – one was encrypted and the other was not encrypted

One piece of advice to all healthcare organizations and business associates: Be Prepared.  Don’t follow the path of so many and think that a data breach will never occur within your organization. 

If you are not confident about your breach notification response plan, review and update the plan so that it makes sense for your organization.  Go through practice drills to assure the process gets practiced and is realistic in the event of a potential data breach occurring. 

If additional help is needed, reaching out to experts in the industry is always a great idea.  Having third party assistance in the creation and establishment of a process for your organization can help elevate some of the fears and challenges that healthcare covered entities face.

Be prepared, plan accordingly, and assure your breach investigation process is ready.  You never know when your organization maybe the next data breach – a good response plan can save your organization from unwanted reproductions that data breaches bring to organizations. 

“If you are failing to plan, you are planning to fail.” – Tariq Siddique

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027