2014 saw a rise in data breaches and HIPAA compliance failures inside of the healthcare industry. The Office for Civil Rights (OCR) takes privacy and security critically, and more companies have been fined for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA). This year, the OCR will use the HIPAA audit program to randomly assess healthcare entities and business associates for compliance with the HIPAA privacy, security and breach notification rules. Here are 5 mistakes to avoid with 2015 HIPAA audits coming:
Failing to maintain with regulating requirements
Gain a better understanding of criteria for standards as “required” versus “addressable.” the covered entities must comply with every Security Rule standard. Covered entities need to evaluate if the addressable section is practical after a risk assessment, and, if not, the Security Rule allows them to consider an alternative measure. Be certain that you document everything, especially since the OCR may have a look at encryption with audits this year.
No documented security program
The OCR really wants to know how you execute a security risk assessment program, so be positive your company has a documented security awareness program. Once you know the requirements, assess your environment and your users. Does your organization have a security and compliance program in place? Exactly how well is it implemented? Who is included? How often do you communicate? Everyone in your company must certainly be held responsible for guaranteeing the safety of data and following proper procedures. Have a program and a point person in place, and make certain your compliance and security teams consult each other. Establish a committee with stakeholders and obvious responsibility, and make certain the plan is documented, communicated and implemented throughout the company.
A reactive approach to audits
Once you establish a security program, proactively monitor security and performance indicators, as OCR audits will focus heavily on breach plans and the controls you have in place to protect them. Auditors will look for access to critical group memberships, so make sure you’re auditing and reporting on user activity – including your privileged users. Auditors are increasingly more interested in this area, due to the recent increase in insider incidents.
Assumptions regarding business associates agreements
Contractors and subcontractors who process medical insurance claims are liable for the security of private patient information. Make sure you have an updated business associate agreement in place, and make certain the chain of accountability is documented, agreed upon, and reviewed frequently by both parties. You can locate example agreements offered by the OCR to help you through this process.
A checkbox approach to compliance
Specialists want to eliminate the checkbox strategy for compliance in favor of a risk-based security approach. Compliance and security must go hand-in-hand, and organizations will benefit from incorporating this mindset across both teams. Intense security measures help you to meet compliance regulations. By adopting an organizational self-discovery approach, you’re going to have a higher level of visibility and understanding of internal setbacks, and acquire a more sturdy business process and the next level of organizational maturity.