By Gregory Fenton
Vice President of Strategic Partnerships, HIPAA One
If you work in the healthcare industry, you have heard the term HIPAA. Many healthcare professionals understand the basics of HIPAA, but few know what is required to fulfill HIPAA requirements and to be “HIPAA compliant.” This is especially concerning because organizations that don’t understand are neglecting to prioritize their security and compliance. This leaves them vulnerable to a breach and/or audit that could result in significant fines.
It also doesn’t help that there is a lot of misinformation in the marketplace about what is required for compliance. In fact, there is so much misinformation that the Health and Human Services (HHS) published a blog on HealthIT.gov to address Top 10 myths of a Security Risk Analysis.
To help organizations wade through the complexities of HIPAA and completing a security risk analysis, we wanted to walk through a few common HIPAA pitfalls and how to avoid them.
“We are too small to be audited by the Office for Civil Rights (OCR)”
Many organizations think that because they are small, they won’t be audited by the OCR. However, that isn’t the case. We are seeing organizations of all sizes being audited by the OCR and, more recently, by State Attorneys General. There are more resources being assigned to the enforcement of HIPAA compliance meaning it is getting more difficult to “fly under the radar.”
Not only are organizations being randomly audited, they are being audited because of whistleblowers, patient complaints and security breaches. In fact, if an organization experiences a breach that affects more than 500 patients, that breach must be reported to the OCR and posted on the Breach portal. (More lovingly known as the “Wall of Shame.”) One quick look at the list and you can see small, medium and large organizations listed along with health plans and business associates.
We have found that organizations that are complacent with their HIPAA compliance and cybersecurity are typically the ones that experience multiple breaches. These breaches result in repeat notifications to patients, loss of trust, reputation and fines.
“A checklist will suffice for my security risk analysis”
While a checklist would be nice, it is not going to cut it because it doesn’t help you identify where there may be gaps or threats in your organization. A full security risk analysis is required to help you identify threats, assign risk, put together a remediation plan and create a final report for documentation and continued remediation. By completing a full security risk analysis, you can see exactly where your organization may be vulnerable, allowing you to put a plan in place to remediate those risks and vulnerabilities.
A checklist would be similar to leaving your house unlocked. You know it is unlocked but you haven’t documented or communicated what risks and threats are. A security risk analysis would tell you your door is unlocked, let you know how many people have walked into your house, what might have been stolen and what security system you should install to fix the situation and prevent it from happening again.
I only need to complete a risk analysis once
A common misconception is that organizations only need to complete a security risk analysis once. While that would be convenient, it is not enough to ensure your organization is sufficiently protecting ePHI. With each change in software, personnel, computers and the like, there needs to be a re-evaluation on how it affects the security of ePHI. It is required that any organization that handles PHI or ePHI complete a security risk analysis on an annual basis.
Just like you need to complete your taxes every year, the HHS Office for Civil Rights requires organizations complete a security risks analysis each year. Additionally, if you are participating in an EHR incentive program (e.g., EHR Interoperability, MIPS, MU) you are under even more scrutiny. Prioritizing your annual security risk analysis is not optional, it is required.
HIPAA compliance is often looked at as complex and overwhelming. While there are a lot of regulations involved, compliance boils down to answering one question, “Is your organization adequately protecting ePHI?” Completing a security risk analysis each year helps you answer this question.
The great news is you don’t have to do your HIPAA compliance alone. HIPAA One is Casamba’s preferred HIPAA compliance automation software partner who combines superior service and support. This approach enables organizations to tailor policies and procedures for their unique cultures. HIPAA One leverages a step-by-step “TurboTax”-like approach and guarantees passing any audit so regular people can successfully do HIPAA.
We know a breach or audit is no laughing matter. It can cost an organization thousands of dollars – money organizations don’t have to lose. If you haven’t yet completed your 2019 security risk analysis, it isn’t too late! Don’t leave your organization at risk. Protect your ePHI and strengthen your security posture by completing your HIPAA security risk analysis.