HIPAA audits are underway, and every Covered Entity and Business Associate has their name in the hat. You never know when you will be audited. It is best to be prepared.
From my experience working with our client base and others in the industry, I see some common items come up with audits. Do you have these five issues covered?
1. Know where your ePHI is stored.
Before you can protect anything, you need to know where to find it. When you know which servers store the information, then you identify the risks associated with that storage.
Audit Note: Auditors search your network for anything that is storing ePHI. You do not want to be surprised by anything they find so it’s important to find out where ePHI is stored before the audit.
2. Understand which devices can access ePHI.
Do you know which devices access the ePHI and how? Your EHR software should be encrypting the data prior to storing it. This simple act guarantees that all access to the ePHI goes through the EHR and is appropriately logged.
Audit Note: Auditors evaluate the security of various devices that have access.
3. Complete a Comprehensive Risk Assessment.
A comprehensive Risk Assessment includes a list of assets, threats for each asset, and vulnerability for each threat. Each asset may have several threats and vulnerabilities. Here is an example:
|Workstation||Equipment failure||No backup|
|Server||Power Surge||No surge protection|
Assign a likelihood and impact rating to each scenario to help with mitigation planning.
Audit Note: Auditors want to see this Risk Assessment. They will recommend that you follow NIST SP800-30.
4. Maintain Business Associate Agreements (BAA).
Recently, Oregon Health & Science University suffered a breach due to storing information in a Google cloud service without a BAA in place with Google. HIPAA requires Covered Entities to maintain Business Associate Agreements with any vendor prior to providing covered information to that vendor. This includes using a third-party email provider like Gmail, Yahoo, or AOL. ePHI should not be sent across email unless absolutely necessary. If it is necessary, a BAA needs to be in place and the security of the ePHI needs to be addressed.
Audit Note: Auditors review your partnerships and ask for current BAAs for each vendor that may handle your ePHI.
5. Dedicate resources.
Compliance is a large project and it is only a starting point towards security. Assign someone the responsibility of ensuring HIPAA compliance and general security. Individuals involved need to be allowed to put compliance tasks above all other tasks.
Audit Note: Auditors want to know who has been designated as the Security Officer and who the Compliance Officer is. Ideally, those roles should be two separate people.
Risk Assessments need to be a very detailed process. The Office of Civil Rights (OCR) can leverage large fines for non-compliance. Ensuring that your organization is compliant prior to an audit will reap rewards in reduced or eliminated fines.