Three Essential Best Practices for HIPAA Compliance
This blog post is taken from a recent Webinar featuring Marti Arvin, Vice President of Audit Strategy at CynergisTek.
There have been 17 HIPAA enforcement actions since the beginning of 2016, over a period of 15 months. Most of these were the result of self-disclosure where the organization was required to contact the Office for Civil Rights (OCR about a notifiable breach. Two of the 17 were the result of a complaint filed by individuals regarding the protection of their data. Fifteen, or almost 90%, were resolved by settlement with a resolution agreement and corrective action plan. Two were resolved via the formal resolution process. Here are some best practices for ensuring your organization remains compliant.
Monitor and Update BAAs
Some of the key issues involved in these cases are the absence of a business associate agreement (BAA) or failure to update the BAA for changes under the HITECH law. I’ve seen organizations with BAAs that include language to the effect the BAA would automatically include any amendments to the rule. The problem here is that HITECH changes were not technically amendments to the rule. OCR is likely looking for more structured and formal language addressing HITECH changes.
Many organizations tell me they don’t feel comfortable that they’re capturing all their business associate relationships. If your contracting goes through a single source within your organization, this is easier to do. If it’s decentralized, then anyone who can enter into an agreement must fully understand what triggers the need for a BAA or know who can help them.
The key takeaways here: have a process for identifying, evaluating, monitoring and ending business associate agreements.
Monitor and Audit Access to PHI
Organizations must have a strong program for auditing access and monitoring access by both your workforce members and the employees of any third parties with access to your systems. Many do this well for their workforce members, but find it more challenging to do so for third parties. You should require affiliated organizations to provide proof of training and consider conducting a site visit. It’s important to know their privacy and security incident history. What have they had happened? What are some of the issues that they’ve encountered?
Perform Adequate and Routine Risk Analyses
Another key finding is the failure to perform a risk analysis or conducting an inadequate risk analysis. Risks must be assessed on a routine basis. For example, if you performed one in 2005 and another in 2010, and you haven’t performed one since, OCR is unlikely to find this adequate. I suggest letting no more than three years elapse between assessments. The OCR audit process for phase two requires an organization to provide both their prior and most recent risk assessments along with evidence of mitigation of identified risks.
To learn more, watch the full Webinar here.