A productive way to view the administrative burden of HIPAA law compliance is to consider it as preventive maintenance. The Office for Civil Rights of Health and Human Services (OCR) reports that from the compliance date for the HIPAA law in 2003 through the end of 2019, it received over 225,378 HIPAA complaints and has initiated over 993 compliance reviews. About 70 percent of compliance reviews resulted in corrective action. Preparing for a possible HIPAA audit now will make the inevitable audit far less disruptive and significantly less expensive.
The compliance issues most often investigated by OCR are:
- Improper disclosure and use of personal health information (PHI)
- Insufficient safeguards on personal health information
- Lack of access to personal health information for patients
- Lack of safeguards for electronic personal health records (ePHIs)
- Disclosure or use of more than minimum personal health information
Preemptive preparation for HIPAA audits protects covered entities from charges of negligence. Here are eight ways that covered entities can ensure regular compliance with HIPAA law to prepare for a HIPAA audit now.
1. Covered entities must know their users of protected health information.
Fairwarning surveyed 1 million users of electronic health records (EHRs) and cloud applications. They found that 26 percent of users of protected health information were poorly known or entirely unknown to the care provider. Unknown users cannot be retrained or sanctioned in the event of a HIPAA violation. Covered organizations should add identity correlation technology to their EHRs and cloud applications.
2. Covered entities must give careful attention to business associate agreements (BAAs).
Every vendor handling personal health information must be bound by a business associate agreement. The business associate agreement goes a long way to ensure that both parties are bound to the rules for creating, transmitting, and receiving personal health information securely for lawful intent. But even more importantly, covered entities must ensure that their business associates have the proper protocols in place to take their agreement seriously. Any vendor can sign a business associate agreement. It is essential to ask questions to make sure that vendor protocols are sufficient to comply with HIPAA law.
3. Covered entities must conduct regular risk assessments.
The Breach Notification Rule requires covered health organizations to conduct risk assessments to assess the likelihood of compromised personal health information. These protocols enable covered organizations to recognize any legal requirement to report a breach of confidential information in a timely fashion. The OCR and the Office of the National Coordinator for Health Technology (ONC) have updated their Security Risk Assessment Tool to assist organizations with this requirement.
4. Covered entities must identify high-risk assets.
The Breach Notification Rule also requires covered entities to develop policies and standard operating procedures that identify assets at high-risk and ensure that the protection of those assets is current. Business-critical assets can be both technical and non-technical.
5. Covered entities must develop comprehensive incident response plans (IRPs).
Incident response plans keep security incidents from becoming security breaches. Incident response plans are required by the HIPAA Security Rule. Health and Human Services provides an Incident Response Plan template to facilitate agile responses to security incidents.
6. Covered entities must be able to prove they have set policy and procedure boundaries for compliance with HIPAA.
HIPAA 164.316 states that covered entities must be able to show that they have developed and maintain “reasonable and appropriate policies, procedures and standards.” Standards, expectations, and boundaries must be transparent for all parties.
7. Covered entities must offer ongoing training.
Survey data tell us that the majority of patient information breaches involve insiders, not vendors. HIPAA training has to be an ongoing process, not a one-time event.
8. Covered entities must keep their eye on PHI.
HIPAA 164. 306 states that covered entities must ensure the “confidentiality, integrity, and availability” of all electronic protected health information (ePHI). HIPAA 164.312 requires that electronic systems containing ePHI must be accessible to all parties that have been granted access rights. Covered entities should monitor holding ePHI, including mobile devices and cloud applications, as well as EHRs throughout their life cycle. Administrators who foster a culture of compliance and who take timely corrective action when employees need training, retraining, or sanctions are better prepared to demonstrate these requirements of HIPAA law.