Even though HIPAA has been around for over a decade, it is making news daily with health data breaches and the upcoming HIPAA audits. When talking with many healthcare organizations, HIPAA is not and has not been a top priority within the organization. In fact, many healthcare organizations implemented HIPAA in 2003 and 2005 as required by the compliance dates of the HIPAA Privacy and Security Rule and haven’t done any additional work on compliance. With the announcement by the Office of Civil Rights that the Phase 2 HIPAA audits will begin in early 2016, and afterwards a permanent HIPAA Audit program will be established, all healthcare organizations as well as business associates need to evaluate the current level of compliance and understand the risks within the organization. The best process to take for evaluation of current compliance and risks is conducting a HIPAA risk analysis, as required by the HIPAA Security Rule.
When conducting a HIPAA risk analysis, a checklist of the regulations may be use as a guide, but it is important to understand that a checklist SHOULD NOT be the only item used when conducting a HIPAA Risk Analysis. A checklist can be a good guide as you evaluate your current level of compliance, but other aspects of HIPAA compliance should also be evaluated during a HIPAA Risk Analysis process. In addition to a checklist, healthcare organizations should also follow these simple steps to conduct a complete risk analysis:
-
Conduct Physical Walk-throughs – Part of the HIPAA regulations focus on the physical features of an organization. A walk-through should be conducted to determine: how information is being processed, where information may be improperly used, what safeguards are established for electronic equipment, how you are protecting paper records, if people are logging out of computers or systems when they are walking away. These are some basic areas to review during a walkthrough. A simple walkthrough checklist can be helpful during the process. -
Collect Supporting Evidence of Compliance – An organization should collect evidence to support compliance with privacy and security policies and procedures established. For example, if you state that you will conduct information activity review on a bi-monthly basis, an organization will want to ensure that they have evidence of the bi-monthly information activity reviews. -
Conduct Workforce Interviews – Workforce members are the first line of defense with safeguarding and protecting PHI. It is important to understand the workforce’s knowledge and comfort with using and protecting PHI throughout the normal course of business. Ask workforce questions to understand the comfort and adherence to organizational policies and procedures. -
Review Unauthorized Uses and Disclosures of PHI (and Data Breaches) – one area of non-compliance can be from the history of data breaches or unauthorized uses and disclosures of PHI. During the risk analysis process, an organization should evaluate the recent issues with the use and disclosure of PHI to trend issues and evaluate if potential risks exist. For example, if 4 unauthorized disclosures are due to wrong faxes sent, there could be an indication a risk exists with employee education on faxing PHI. Taking time to review this activity can help trend and understand the issues and potential risks within your organization. -
Evaluate Conducting Network Security Testing (Penetration Testing) – while not a requirement, it is a good idea to have penetration testing done to determine if there are security risks within your network infrastructure. Network security testing involves electronically evaluating the current network infrastructure to determine if here are weakness in the network. Network weakness can lead to unauthorized intrusion and hacking into a network. Penetration testing will look very different depending on the size and complexity of the network established.
Regardless of the size of your organization, the foundational step in any HIPAA compliance program is the completion of a HIPAA Risk Analysis. Why this is not mandated to be conducted on a yearly basis, the organizations that find themselves most comfortable and compliant with the HIPAA regulations conduct a Risk Analysis on a regular basis. Don’t be the next headline of a large data breach with a monetary fine and corrective action plan. Conduct a robust HIPAA risk analysis and feel confident with your compliance.
Danika