Protect Your Organization with a HIPAA Security Plan
February 23, 2017
By Steven Bisciello, MBA, CMPE
In 2016, there were a number of updates and respective releases made by the Office for Civil Rights (“OCR”) in terms of HIPAA Security. One major update was that the OCR notified a number of health care covered entities (“CEs”) and their respective business associates (via notification letters/emails) that the OCR would be performing individual audits of said entities/associates through their Phase Two HIPAA Security Audit Program.
Another major update was that the Final Omnibus Rule will now hold health care organizations’ respective business associates (“BAs”) and their subcontractors to both the same privacy and security standards and possible subsequent fines, which were previously required only of CEs.
Why are these updates important? Well for starters, the goal of the individual audits in the Phase Two HIPAA Security Audit Program is “to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities” to ensure compliance with HIPAA privacy/security, protected health information, and breach notification guidelines. Also, CEs are responsible for ensuring that their BAs/subcontractors are in compliance with HIPAA regulations. Noncompliance could result in the CE being negatively affected as well as their BA, namely through possible audits, their subsequent fines and upstream negative press/public relations.
Some of the largest fines assessed against CEs that we have seen resulted from a HIPAA breach by the BA of a CE .
What can you do to protect your respective organization? Protection will be similar, but two fold. In regards to your respective organization/CE, we recommend you engage a third party to assist you in the following steps.
First, ensure a thorough risk review is performed and documented. This will assess your workplace’s current state and any exposures/vulnerabilities to breach/integrity of electronic protected health information (ePHI). The findings and respective areas for improvement should be documented with a corresponding implementation plan.
Next, create and document customized/tailored policies and procedures. These policies and procedures should be created for the 3 main areas: administrative safeguards, physical safeguards, and technical safeguards. These policies and procedures safeguards should then be implemented into the organization’s daily processes to ensure protection of ePHI and greatly reduce exposure to HIPAA security audits and their respective potential penalties. It is important to also note that said policies and procedures will most likely need to be updated regularly as regulations are updated/new regulations released.
Third, ensure training is completed and documented for existing and new employees on both HIPAA Security regulations and your organization’s documented policies and procedures for safeguards. We always also recommend that our clients perform recurring HIPAA security refresher training on an annual basis.
In regard to your BAs, perform due diligence before contracting is completed. If you have long standing relationships and due diligence was not performed prior to contracting with BAs, we also recommend you engage an independent third party to audit the BAs and ensure they have performed and documented all of the above (risk review, documented/customized policies and procedures, training). With both existing and potential new BAs, also provide them with and get back a signed business associate agreement (“BAA”). A BAA is a contract between a CE and a BA documenting the CE’s expectations, requirements and subsequent indemnification of the BA for the protection of ePHI, in accordance with HIPAA guidelines.