5 Lessons Learned from the 2012 trial HIPAA audits

Posted: Sep 11, 2014
Share This:

In 2012, the Department of Health and Human Services (HHS) alongside the Office of Civil Rights (OCR) undertook HIPAA audits of around 150 covered entities (CE) to assess adherence to the HITECH Act. Focusing on privacy, security, and breach notification, the comprehensive audits analyzed the processes, controls, and policies of selected CEs to verify compliance.

With the second round of HIPAA audits due to commence this fall, and continue into 2015, here’s 5 lessons you can learn from the last audit for working towards and maintaining HIPAA compliance within your healthcare organization:

1. Regularly reassess the risks!
Rule number one, never assume your organization is secure. Assuming your organization is secure off the back of your last risk assessment could result in a costly penalty should you be caught off guard by an audit. Carry out regular risk assessments to eliminate the possibility of flaws within your organization when handling PHI.

2. Choose a Business Associate you can rely on.
Document exchange and storage is an integral administrative element of the healthcare industry, with sensitive information being handled on a daily basis. As part of the HIPAA audit, organizations can expect greater scrutiny when it comes to the safeguarding of Protected Health Information (PHI). The audit protocol covers the HIPAA Security Rule requirements for administrative, physical, and technical safeguards, which means it is vital that you choose a HIPAA-compliant Business Associate (BA) for any third-party document management. Can your BAs offer you a Business Associate Agreement (BAA)?

3. Keep everyone in the loop.
In healthcare, no matter how minor the change, if an internal process is amended it is essential that all personnel are kept up-to-date. Track all changes to organizational processes and circulate those changes amongst the team. As outlined by HHS, the audit program protocol covers the Privacy Rule requirements for:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures

The smallest change to internal processes could affect any of the above requirements, therefore, it is important that any amendments are well documented and understood.

4. Emphasize security at every stage.
The modern-day workplace isn’t 9 – 5, and certainly isn’t restricted to one office location. Healthcare professionals are more mobile than ever with the evolution of the Bring Your Own Device (BYOD) workforce. Eradicate insecure methods of communication by promoting the use of HIPAA-compliant software. Place restrictions on when email can be used, and prohibit the use of insecure apps when handling sensitive data.

5. Communicate with your patients.
Reports of data breaches are becoming commonplace in the news for healthcare, as well as other industries such as finance and education. Encourage trust by clearly communicating the measures taken to ensure personal data remains secure.

Watch this space for an overview of what to expect from Phase 2 of the HIPAA audits!