Industry Voices—3 lessons learned from a HIPAA audit

According to the U.S. Department of Health and Human Services (HHS), approximately 70% of organizations are not HIPAA compliant.

Carol Amick
Carol Amick
(Courtesy of CompliancePoint)

The Health Insurance Portability and Accountability Act, better known as HIPAA, mandates industrywide standards for healthcare information and electronic billing and requires protection and confidential handling of protected health information. According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance.

RELATED: HHS moves to reduce HIPAA fines, lowering the cap more than $1M for some violations

It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcement and compliance. As a result, the number of organizations that fail to meet compliance each year remains the majority. To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.

1. Analyze the past to avoid making the same mistake twice

It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information, lack of safeguards to protect health information, lack of patient access to their personal health information, lack of administrative safeguards on electronically protected health information and use or disclosure of more than the minimum protected health information. Protecting valuable data by analyzing past mistakes is an important step in the compliance process.

2. Perform a risk assessment and gap analysis

One preventive measure in assessing an organization’s compliance with HIPAA is a risk analysis and a gap analysis. There has been confusion and a lack of understanding around the two examinations among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization and puts it at a significantly higher risk.

According to HHS and Office for Civil Rights (OCR) guidelines, all healthcare organizations must specifically conduct a risk analysis to be HIPAA compliant. The risk analysis identifies risks and vulnerabilities that could threaten the confidentiality, integrity and availability of electronic personal health information (ePHI).

Organizations can also use a HIPAA gap analysis to measure their information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weaknesses of the security program.

From there, the organization can determine whether it has reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health information. Performance of the gap analysis also allows the organization to develop an audit response toolkit that includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies. The risk analysis is a required control as defined in audit protocol.

Without conducting a thorough and comprehensive risk analysis, a healthcare organization cannot identify applicable threats and vulnerabilities that allow it to take corrective action. Completing a thorough risk analysis provides insight into the organization’s security position and allows it to make changes before an audit takes place. Organizations should also update their risk analysis at least annually to ensure it reflects current operational practices.

RELATED: HHS' Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year

To begin, an organization should document any ePHI, transmitting or processing services. This includes any business associates or employees that receive and use the ePHI. It’s important to evaluate all aspects of the organization’s operation to verify all uses and disclosures of ePHI are identified. Don’t assume that your IT shop is aware of all of your uses and disclosures; inquire of all of the operational areas of your organization.   

The risk assessment should evaluate the security, use and disclosure of PHI against HIPAA’s privacy, security and breach notification implementation specifications. 

3. Develop an action plan and a response toolkit

For many healthcare organizations, the question is not if they will receive a HIPAA audit or an OCR investigation, but when. The OCR, which is responsible for completing HIPAA audits, will contact the organization. The OCR will further ask for a variety of documents and data. Once it reviews those documents and data, the agency will send the organization a preliminary copy of its findings. This preliminary report gives healthcare organizations the opportunity to respond to the OCR, and have their responses included in the final report.

RELATED: Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

From the final report, the OCR will determine whether an organization was in compliance with HIPPA and, if not, where it is lacking. If an organization was not in total compliance, the OCR will provide corrective action and technical assistance the organization can use to work toward compliance. 

Developing an action plan and evaluating the organization’s information security against the OCR audit protocol to develop an audit response toolkit will leave organizations with practical actions that serve their best interest, eliminate mistakes and mitigate risk.

Carol Amick is an experienced healthcare compliance professional with over 20 years of experience in healthcare. She currently serves as the manager of healthcare services at CompliancePoint. During her time as a compliance and privacy director for several healthcare providers, she has led numerous investigations into PHI breaches and responded to outside investigations by the OCR, Office of Inspector General and other regulatory agencies.