5 tips to prepare for Phase 2 HIPAA audits
This summer, healthcare providers all over the United States began agonizing about HIPAA compliance, as the Office for Civil Rights (OCR) sent out preliminary surveys to begin its long-awaited Phase 2 HIPAA audits. After months of delays, the audits could begin as early as this fall. If you’re daunted about getting your company’s policies in order, you’re not alone. This phase gets into the nitty-gritty of security practices—including PHI access, privacy practices, encryption, and data breach notification—which is complicated territory.
Click here to read the latest edition of Healthcare Global magazine!
In 2014 alone, the Department of Health and Human Services was notified of 282 data breaches affecting 500 or more individuals, which compromised the data of more than 12 million people. According to the Ponemon Institute, 90 percent of healthcare organizations have experienced a data breach, and 40 percent have had five or more in the last two years. These numbers really speak for themselves: Data breaches in the healthcare industry are a major problem, so it’s high time that the OCR is auditing organizations to assess—and remediate—risks. Notably, both covered entities and their business associates will be audited this time around, an acknowledgment that it isn’t only healthcare organizations that need to be careful.
The audits are no doubt a daunting process. But the wakeup call audit preparation can bring shouldn’t be limited to only the organizations that get tapped by OCR. After all, HIPAA compliance is a complicated undertaking with many moving parts.
RELATED TOPIC: 7 HIPAA security risk myths debunked
We’ve put together some tips for healthcare organizations to prepare for this second round of OCR audits—and implement some best practices for securing PHI. Even if you don’t end up being audited, heeding these tips puts your organization on the right road to HIPAA compliance.
1. Encrypt sensitive data. Encryption is key to preventing data breaches, and while it’s not the only thing that contributes to compliance, it’s perhaps the most important place to start. To prepare for the HIPAA audits, make sure you know exactly which of your organization’s files are being encrypted and how—and which are not. Tools like data-loss prevention scanners can help give a portrait of this in your organization.
But from there, it’s essential to take strides to encrypt everything that’s sensitive. When it comes to complying with HIPAA, file-level encryption is paramount: Encrypting the content itself—rather than just its storage place—ensures that the encryption is maintained wherever the files are synced, shared, and emailed or if the cloud provider falls victim to a data breach. ePHI demands the highest levels of protection, and getting into the practice of securing data at the file level will make complying with HIPAA—and passing the audits—that much easier.
RELATED TOPIC: How to defend your hospital against IT security breaches
2. Review and update all security and privacy practices. You know by now that HIPAA is about more than the day-to-day operations and handling of PHI. Often, HIPAA is oriented around policies. With that in mind, know that the HIPAA auditors will be taking a close look at security and privacy practices, so it’s a good time to become familiar with your company’s. Pay particular attention to BYOD policies and integrity control. As more and more healthcare providers use mobile devices to store and share patient records and other sensitive data, it’s critical to have up-to-date policies governing device use. Keep in mind that even if the cloud isn’t officially sanctioned at your workplace, employees are likely using it anyway, and likely in an unsafe manner, especially on their phones.
More than 1.4 million smartphones were stolen just last year. Add to that stolen laptops, tablets, and flash drives, and lost devices of any kind, and you can see that there’s a lot of unsecured data ripe for the picking out there. In fact, misplaced mobile devices and other inadvertent employee negligence is often cited as the number-one cause of data breaches. A smart policy will not only endorse the cloud, but also provide appropriate additional levels of encryption that protect files in transit and on mobile devices. By the same token, HIPAA mandates that ePHI security is never compromised, and maintaining audit trails for sensitive files—and knowing who is accessing files when—is an excellent practice for integrity control and privacy assurance.
RELATED TOPIC: Why the cloud is the safest place to store medical records
3. Don’t just know your policies—know how you’ll respond to a data breach. Data breaches happen all the time, to companies big and small. Having strong security measures in place is a must, but it doesn’t mean you can assume your files will never be breached. Rather, savvy companies will expect a breach—and know exactly what they should do if one happens. Make sure you have a comprehensive procedure in place for data breach notification that reflects HHS’ Breach Notification Requirements. There are also certain steps a company can take to stop a breach in practice, including remotely blocking a device or activating an automatic logoff.
4. Understand how your PHI gets shared. We saw from the Target breach of 20TK that the retail giant came down in part because of a business associate’s practices. That’s a good thing to bear in mind here: The organizations with which you share information can often be your weakest link. Phase 2 of the HIPAA audits expects compliance from business associates as well as covered entities. That means any lawyers, accountants, translators, documentation storage companies, transcription services, or others who work with you and disclose PHI in any capacity must comply with HIPAA, too. That falls on them to execute, but it also means you’re in it together to ensure compliance for the data you both touch.
5. Have a third-party auditor check your HIPAA compliance. We already know it’s essential to have an audit trail to help sniff out odd behaviors and get routine updates on how your data is being accessed in order to detect any worrying patterns. Better still might be to contract a third party to do a preliminary audit and fix any issues that might arise from their examination. HIPAA compliance isn’t a one-time event; it’s a process. So it’s wise to do a regular check-in to make sure all systems are up to date and all policies are HIPAA compliant, especially as technology habits are constantly changing.
The Phase 2 HIPAA audits should be taken as a sign that the OCR is beginning to crack down harder on compliance, in particular when it comes to electronic records. Despite the fear the audits have struck in healthcare providers scrambling to make sure everything’s in shape, they’re ultimately a good thing. Preparing for the audits—whether you end up being audited or not—will ensure maximum security for your PHI, allowing you and your staff to focus on what really matters: providing excellent care.
Asaf Cidon is CEO and co-founder of Sookasa, a cloud security and encryption company that enables safe adoption of popular cloud services such as Dropbox and Google Drive to store sensitive information.