Earlier this year, the American Health Information Management Association (AHIMA) published its “External HIPAA Audit Readiness Toolkit” to help covered entities (CEs) and business associates (BAs) prepare for the Office for Civil Rights’ (OCR) upcoming Phase 2 HIPAA Audit Program. The toolkit aims to be the go-to resource for understanding the requirements of Phase 2 audits, so you can self-audit your healthcare organization and be prepared. Although the kit is a good start, we’ve identified additional activities that are necessary—including credible sources to use as reference for best practices.
In Phase 2 audits, the OCR will look for fully developed information governance programs that go beyond the minimum requirements for record management and compliance; comprehensive information privacy and data security is necessary. Self-auditing, starting with the AHIMA toolkit, helps ensure your data is protected and you’re able to demonstrate compliance with the OCR. Let’s review the actions you can take to be prepared for HIPAA audits:
- Threat identification and prioritization of mitigation: Your compliance and security team should identify and document all threats—physical and logical—to your organization and its assets. From there, prioritize how you will tackle the protection of your critical systems and sensitive information. The value of the asset and its impact to your organization will dictate the sequence for prioritization; meaning, those systems and assets that are of greater value should come first. Threat mitigation will occur through the processes, policies, and technologies you choose, which is unique to your particular business.
- Employee training and awareness: Most employees understand the basics of HIPAA compliance. However, few have the training and knowledge needed to address cyberattacks, phishing attempts, ransomware attacks, or DDoS attacks. Train employees to not only recognize these types of threats, but also how to report and respond properly. The importance of ongoing training cannot be underestimated. (Here are additional tips to prepare and empower your employees.)
- Incident response policy and drills: No organization is exempt from the possibility of a security incident that affects its systems and ability to remain operational. An incident response policy provides guidance for handling and reporting, and practice makes perfect. It is all fine and well to write down and discuss policies and procedures, but employees must know how to implement them effectively. Regularly simulate incidents to be sure everyone can respond as needed during the stress of a real situation. For example, some organizations send test phishing emails to see how well employees identify and report the malicious link. Follow-up education after these training exercises significantly reduces the chances of a security breach.
- Mobile Device/BYOD and wearables security policy: As more companies allow employees to use mobile devices and wearables in the workplace (e.g. doctors using tablets), it’s important to protect beyond the desktop. The toolkit only scratches the surface of creating policies.
You’ll need to develop comprehensive device security policies, address accountability and outline responsibilities, embrace encryption, use proper authentication controls and invest in technology that identifies vulnerabilities across all endpoints other technologies that provide the proper risk management. More information can be found in the FDA recommendations for guidance on medical device security and in our recent articles “Control the Risks of IoT and BYOD in Healthcare”– Part I and Part II.
- Social media policy: Social media posts, however harmless they seem, can unwittingly violate patient privacy and pose a security threat. Imagine hospital staff posting a selfie on Instagram that’s taken at work. Perhaps a patient appears in the background. Or, someone has taped a password to a printer connected to the internet and it’s visible in the photograph. Either detail could prove useful to a hacker. Develop a social media policy and review it with all employees.
- Record retention, data decommissioning, and destruction policies: Make sure your record retention and data decommissioning policies are current and well known. This includes physical paper, which may contain private company data, and electronic files.
- Disaster recovery and business continuity plans: Many organizations are aware of the importance of maintaining regular backups. However, many do not have an actual disaster recovery (DR) and business continuity process. Backups give you the ability to restore files if they are lost, but DR allows you to maintain uptime and keep your operations functioning should a disaster occur. Healthcare organizations are particularly vulnerable to disruptions in their services. Having an up-to-date and tested DR plan as part of your business continuity strategy can ensure that your company can stay up and running even in times of crisis. (Learn more about how to document your disaster recovery efforts.)
- It’s not enough to be compliant; you have to prove that you’re compliant. This is often a misstep for healthcare organizations and critical to the audit process. All of the aforementioned policies and procedures need to be organized and well documented to clearly show how you’re HIPAA compliant. Discuss documentation with your vendors and IT providers to ensure they, too, have documentation in place to be audit-ready.
Beyond the Audit
It’s important for your organization to keep track of assets, especially if you handle sensitive data and must undergo ongoing security reviews and risk assessments. Consider the threats posed by your vendors and apply security controls based on the associated risks. Always apply least privileges and need to know access control to information systems to limit the exposure associated with elevated privileges. As recent ransomware attacks demonstrate, you must pay attention to every detail and maintain system updates and patching, too.
Many healthcare data breaches are attacks to onsite systems that are outdated and weak; consider partnering with a HIPAA-compliant hosting provider to develop a strong infrastructure. HIPAA-compliant providers offer cost-effective security solutions, as they have in-house expertise, technology, and resources you might not otherwise be able to afford. OnRamp, for instance, has a team of certified engineers who monitor and maintain up-to-date systems that exceed healthcare regulations and safeguard your assets. When you combine the AHIMA toolkit, the best practices outlined above, and the guidance of a provider with a compliance specialization, you minimize data security risks and maximize information privacy and safety. Contact OnRamp for more information.
Additional Resources on This Topic: