HIPAA enforcement has skyrocketed over the last year, with HIPAA compliance violations and settlements ranging anywhere from $240k to $3.9M since September 2015. With Round 2 of HIPAA audits in full swing—and now including business associates—hundreds of covered entities (CE) and business associates (BA) are under the microscope yet again.
In the last few months, hundreds of covered entities and business associates have received surveys from the HHS Office of Civil Rights (OCR) indicating that it has begun Phase 2 of the HIPAA Audit Program, and intends to review their policies and procedures to ensure they meet the implementation specs of the Privacy, Security, and Breach Notification Rules.
HIPAA Phase 1 Was Informational; HIPAA Phase 2 is Proving to Be More Punitive
The first round of HIPAA audits was largely informational, but the second round will result in disciplinary action when appropriate—and according to industry experts, an overwhelming number of covered entities were deficient in certain HIPAA compliance standards. This means that Phase 2 auditees can expect a range of enforcement actions as a result of Phase 1.
To become and stay HIPAA compliant and to make sure that your healthcare organization is prepared in the event of an audit, consider the following best practices:
Becoming HIPAA compliant is no walk in the park—but with the proper guidance and maintenance, it is possible to take control of your organization’s compliance without breaking your budget. To get started, follow this top ten list of action items to determine where you stand:
- Update your privacy and security policies and procedures regularly.
- Ensure all authorizations for release of health information are easily understood by patients and in plain language.
- Denote an expressly-named security and privacy officer.
- Ensure there is a sanctions policy included and referenced in your HIPAA policies and procedures.
- Update your security rule assessment to demonstrate compliance.
- Re-evaluate and refresh workforce training and maintain documentation as to the materials and who attended.
- Establish and maintain business associate agreements
- Compile a list of the business associate agreements in place
- Ensure privacy practices are up-to-date and in line with the latest Omnibus Final Rule requirements, with all appropriate posting and distributing in plain language
- Develop a disaster recovery plan and breach notification response plan and incorporate it into your HIPAA policies and procedures.
Intrinium’s Comprehensive HIPAA Audit, Risk Assessment, and Gap Analysis Can Help
Intrinium’s HIPAA Audit service is based on the U.S. Department of Health & Human Services Office of Civil Rights and the NIST 800-30 knowledge base. Our HIPAA Audit program analyzes procedures and policies of covered entities and business associates pursuant to HIPAA/HITECH requirements. Intrinium’s audit protocol is module based and represents separate elements of security, privacy, and breach notification. Our in-depth risk assessment strategy includes the following elements:
- Development of your risk profile that details reasonable and foreseeable threats
- Determination of any controls in place to mitigate threats
- An evaluation of your organization’s control design
- A residual risk analysis to identify if more controls are needed
- In-depth control testing to confirm that controls are effective
Intrinium follows HHS risk assessment strategy as identified in NIST 800-30 guidance:
- Threat Identification
- System Characterization
- Control Analysis
- Likelihood Determination
- Vulnerability Identification
- Impact Analysis
- Control Recommendations
- Risk Determination
- Results Documentation
With cybersecurity threats rapidly advancing and HIPAA compliance requirements becoming more stringent on a daily basis healthcare organizations that deal with sensitive protected health information should consider a comprehensive HIPAA compliance plan and an advanced threat protection approach to their healthcare IT security framework. If you’d like more information on safeguarding your healthcare organization from cybersecurity threats and to prepare for a HIPAA audit, contact Intrinium for a HIPAA compliance analysis consultation.