HIPAA Audits
Safety of PHI & ePHI
In 1996, the Department of Health and Human Services (HHS) released the Health Insurance Portability and Accountability Act (HIPAA) to address the use and privacy of protected health information (PHI) of all individuals, across the board. HIPAA audits are periodically conducted to ensure organizations remain HIPAA compliant. More recently in 2009, the HITECH (Health Information Technology for Economic and Clinical Health) Act was developed for more meaningful use for the adoption of electronic medical records (EMR). Intended for heightened safety and efficiency of patient care, the PHI documentation had transitioned to electronic medical records to enhance flow of information to and from healthcare providers and to encourage the highest quality of healthcare, altogether. Today, permissions for use and disclosure of ePHI (electronic protected health information) and PHI must be carefully measured within any organization and the Office for Civil Rights (OCR) has done just that.
An Inspection of ‘covered entities’
All healthcare organizations including healthcare providers, health plans, and health clearinghouses, fall under the HIPAA umbrella and are considered ‘covered entities.’ As such, they are required to participate in the OCR’s Privacy, Security, and Breach Notification Audit Program. Developed in 2012, the Department of HHS first implemented the program to evaluate various controls of healthcare best practices and to measure each organization against corresponding industry standards. These security standards require that all organizations have administrative, physical, and technical safeguards in place to protect privacy and confidentiality of patient information, and maintain data integrity for employees, customers, and shareholders. These security requirements can range from data encryption to something as simple as access denial to restricted areas intended for identified personnel only. Should an organization commit a HIPAA violation, the result would be a severe loss in competitive edge in the industry, degraded brand reputation, and heavy fines to upwards of $50,000 per violation with an annual maximum of $1.5 million.
HIPAA Audits Phase II: Investigation, Validation, Remediation
Similar to the Phase I Audits, the current compliance enforcement effort is designed to ensure that covered entities are not only documenting policies and procedures, but are also providing verification that they have adhered to policy, and followed their documented standards, processes, and procedures. The audit process will include review of the adoption and practice of selected policies and procedures as measured against standards of the program, and will come in the form of a pre-audit questionnaire to all covered entities via email. These emails have officially been auto sent to consultants and healthcare management staff as a forewarning of this audit process. Follow-up will include OCR selecting organizations to undergo ‘desk audits’ as well as onsite evaluations with the purpose of raising compliance awareness and enabling both the OCR and the covered entities to be properly equipped for the prevention of data breach. Secondarily, the OCR hopes to help pinpoint common areas of security vulnerabilities across industry to minimize the probability of the same issues occurring again.
Per OCR, this round of HIPAA audits shifted focus toward Risk Analysis and Risk Management for healthcare providers in addition to partnered Business Associates and vendors that could be a third party source of ePHI exposure. Because third-party organizations now have a hand in the delivery of integrated services, the support activities that they offer typically include the use and disclosure or creation of ePHI on behalf of the covered entity. The exchange and availability of sensitive data increases chances of data loss, and you can see why this might be problematic. The Privacy Rule ensures the covered entities receive adequate assurance of practices from their business associates to safeguard the ePHI and this process must be documented.
Business Associates handling ePHI highlights the importance of Third-Party Vendor Assessments to ensure they are properly vetted and utilizing best practices. For more information on third-party security, check out our post on Vendor Management!
Mark is a Senior Security Engineer and our Assessment team leader at NuHarbor Security. He has over 5 years of experience with network security and is a Certified Information Systems Security Professional (CISSP). Mark holds a number of other certifications and has worked with some of the largest Healthcare providers in the country to help strengthen the security of their patients' data and ensure HIPAA compliance from top to bottom.
SOURCES
- http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page
- http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
- http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/
- http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
Follow us on Social Media!
facebook LinkedIn Twitter
