Healthcare providers, payers, exchanges, and many service providers to the healthcare industry are under increased pressure to demonstrate their compliance with the security and privacy requirements of HIPAA. Per the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR), the key to avoiding monetary enforcement penalties is to seek compliance–to establish a culture of compliance. Establishing a culture of compliance is key to demonstrating that your organization has not ignored its HIPAA compliance obligations. The following are some of the most common HIPAA compliance gaps we see in practice that can result in significant monetary fines when they are missing or materially deficient.
#1: Risk Analysis
Do you know how your protected health information (PHI), and the IT environment where it exists electronically, might be susceptible to compromise?
Risk analysis is a formal activity required by the Security Rule’s Administrative Safeguard #1 — Risk Analysis. There is established guidance from HHS, as well as methodology for performing risk analysis. The most widely used methodology is a NIST Special Publication #800-30, “Guide for Conducting Risk Assessments.” Following the guidance and methodology will lead you through a formal analysis that will answer key questions, such as:
- What assets require protection?
- What level of protection is needed?
- How might an asset be compromised?
- What controls are in place to safeguard the asset?
- What is the impact if safeguards fail?
- Do the controls reduce risk to an acceptable level? If not, what should be done to reach an acceptable risk level?
You should have an inventory of your organization’s ePHI (electronic protected health information) and where it is located. This is sometimes referred to as the “ePHI environment” and it often defines the scope of a compliance audit or assessment. The inventory should consist of formal documentation that identifies the application systems, databases, data stores, and system components that support or protect the ePHI.
#2: Policies & Procedures
Have you established policies and procedures responsive to the risk analysis and HIPAA’s expectations?
HIPAA requires organizations to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements such as:
- Risk management
- Acceptable use
- Logging and monitoring
- Security administration
- Malicious software
- Breach notification
- Data backup
- Business continuity and disaster recovery
- Workstation security
- Records retention
Establish and document policies and procedures to address all HIPAA security and privacy requirements and the practices that demonstrate compliance with HIPAA and the organization’s policies.
#3: Security Awareness & Training
Have you trained the workforce in how they should handle PHI from the perspective of privacy and security?
Train the workforce, emphasizing the practical aspects of how security and privacy fits within their job performance. Orientation and annual refresher training are important, but not adequate to address realistic user awareness. Supplement this with periodic reminders provided on relevant topics from the top of the organization to the bottom.
The bottom line is that doing the risk analysis, creating appropriate policies and procedures, and then failing to train people and failing to enforce policy is generally considered willful neglect and leads to harsher consequences should a breach occur.
#4: IRP & Continuity Plan
Have you established an incident response plan? A continuity of operations plan?
Most of the time, the formal documents “Incident Response Plan” and “Disaster Recovery Plan” have not been developed.
#5: Encryption & “Addressables”
Have you treated “addressable” HIPAA implementation specifications appropriately?
All of HIPAA’s Security Rule’s Standards are required, however, under some Standards, there are “Implementation Specifications” which can be classified as either “Required” or “Addressable” items. A “required” implementation specification is similar to a standard, in that a covered entity must comply with it. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards. Organizations often wrongly assume that “addressable” means “optional,” but it does not. For “addressable” implementation specifications, covered entities must perform an assessment to determine whether the specifications are a reasonable and appropriate safeguard in their environment.
Encryption is an “addressable” specification; whether for ePHI in transmission or for ePHI at rest. All too frequently, gaps such as “Encryption decision not addressed in the Risk Analysis or at all” and “Encryption decision perhaps at odds with logic, considering HHS breach reporting statistics” are noted.
It is not uncommon for gaps in compliance to exist upon the conduct of an audit. Linford & Company works with our clients to identify these gaps and recommend a plan of action to remediate and close them. This often entails providing compliance advice, sanitized samples of required artifacts, and templates to assist in the completion of the remediation plan. Subsequent to the closure of any gaps in compliance and upon satisfactory completion of compliance testing, Linford & Company may issue a compliance attestation report, if desired.