Be prepared for audits


Be prepared for audits

With HIPAA audits looming in 2015, this is a prime time to ensure that your organization and its business associates have their HIPAA compliance in order. HRMR reports.

In a media briefing in January, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) director Jocelyn Samuels outlined enforcement plans for 2015, which include a new round of Health Insurance Portability and Accountability Act of 1996 (HIPAA) audits—both ‘desk audits’ and on-site evaluations. These will include covered entities and business associates. 

Samuels stopped short of committing to a specific timeline for the audits, which have already been pushed back from 2014, but there is no doubt that they are in the pipeline, which means that now is a good time to ensure that you are prepared.

“While a timeline has not yet been released for the resumption of audits, the time you have to get your security house in order is quickly running out,” says Jim Tufts, senior health IT consultant at ICE Technologies, a company that works with community hospitals to improve operational efficiency and gain value from their IT investments.

“As we saw in 2014, some highly publicized cases of HIPAA settlements (investigations that were triggered by breach reports) resulted in fines in excess of $1 million. 

“This should be viewed as a wake-up call that the OCR expects covered entities and business associates to safeguard electronic protected health information (EPHI). In addition to evaluating how well your policies and procedures meet the requirements of the Security Rule’s implementation specifications, auditors will be focusing on whether your staff know and follow your policies. 

“They will expect them to be integrated into daily activities and workflows, especially those that involve EPHI. It’s no longer adequate just to have a nice set of policies in place; you must follow those policies (do what your policies say you should do) and provide documentation that validates that you are.”

Putting policies into practice

Eric Cowperthwaite, vice president, advanced security and strategy for computer and network security company Core Security, agrees that simply having written policies is not enough. He says the biggest pitfall he has seen among healthcare organizations is an inability to put policies into action.

“In my experience, healthcare organizations often have a great written policy saying that they must comply with HIPAA. They then fail to actually put into practice the requirements of their own written policy,” he says. 

“For example, if your policy says that all portable storage must be encrypted, then you had better make sure it is all encrypted, and that you have clearly documented evidence that you did so. This is what the auditors are looking for.”

It’s time to move beyond just having a binder full of policies sitting on a shelf, says Tufts. You must educate your workforce so that each and every member, from top to bottom, understands the practical, day-to-day application of your security policies, and can demonstrate compliance.

Serious consequences

It’s worth remembering that the consequences of failing an audit could be very costly.

“The OCR has the ability to level fines, which start at a minimum of $10,000 (it goes up from there, based on severity) for what has been called ‘wilful neglect of compliance’,” warns Tufts.

Preparation for the audits needs to focus on two areas, says Cowperthwaite: improve your security posture and ensure you comply with the requirements of the HIPAA Security Rule and all the associated regulations. A formal security risk management program is a must: it should appropriately assess the risks your organization faces and do so in a documented, easy to understand fashion. Then you must build a plan to remediate and manage the risks faced by the organization. 

“Finally, you need to actually execute that plan. And all of this must be clearly documented with evidence to demonstrate what you are doing for your auditors.” 

A threatening environment

Aside from the need to satisfy the auditors, the wider cybersecurity environment is pressing the need to tighten security. Healthcare organizations are now being targeted for attack by quite capable (and malicious) outsiders. CHS, Premera and Anthem have all hit the headlines because of this. Meanwhile, the old threats (insider access to health data, accidental data disclosure) are still alive and well. 

“Healthcare organizations will need to continue to deal with those threats as well as shifting their focus so they are better prepared to deal with attackers trying to steal data from them,” says Cowperthwaite. 

“This problem will get worse, not better. There is evidence that intelligence agencies view healthcare data as an important set of data in their intelligence gathering efforts. And financially motivated attackers are turning to healthcare as a treasure trove of personal identifying information for identity theft as well as credit card data.”

He says that while evaluating your compliance with the Security Rule, auditors will target areas that fall into three basic categories: first, security risks such as mobile devices (including smartphones), social media, and storage media—not only backups. “Also think about copiers, etc—anything with a hard drive,” he says.

Second, they will look at privacy risks. “Remember that your workforce is statistically your weakest link in the security chain,” says Tufts.

Finally, auditors will be looking at general information risks. “Business associates and their sub-contractors with access to your EPHI, cloud storage, employee-owned devices (BYOD—bring your own device programs), and encryption (or lack thereof) are just a few examples,” he says.  

“You must also be active in trying to identify new threats and vulnerabilities, and if some are discovered, determine your organization’s risk and document your remediation activities to protect against them.

“Ongoing consistent risk assessment processes should be in place and performed on a routine basis, and as new systems are considered.” 

HIPAA, HRMR, Risk Management, US, Jocelyn Samuels, Insurance, Eric Cowperthwaite, Core Security, HHS