As the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) looks to ramp up HIPAA compliance reviews this fall, there is still sufficient time for small healthcare providers to review, update, and even start their HIPAA compliance documentation.
As I have previously indicated, a HIPAA Risk Management Plan must be the foundation of your compliance program. Regardless of the size of your practice, a plan is the most essential component to compliance.
Although there are many topics that must be addressed in a HIPAA Risk Management Plan, here are 5 areas I regard as critical to meeting the government requirements:
1. HIPAA Risk Assessment
The risk assessment is the first step in identifying vulnerabilities. The assessment should include a risk category and provide a gap analysis. It should cover all the addressable and required specifications in the Code of Federal Regulations for the HIPAA Security Rule. The assessment is part of the ongoing security process and should occur annually, at a minimum.
2. Device and Media Management
Policies and procedures that cover the delivery, installation, and removal of computer hardware and electronic media that contain ePHI must be developed and implemented. These must include any device that can be taken off the premises and moved within a facility. With 40% of reported healthcare breaches involving a lost or stolen laptop or mobile device, this is an area OCR could pay a lot of attention to during a compliance review.
3. Breach Notification Policy
Should a breach of electronic health records occur, healthcare providers must provide notifications to the affected individuals, the Secretary of HHS, and the media, in some cases. What is important about your particular policy is making sure the practice’s designated HIPAA Security Official knows exactly what is required and how to handle it. If the breach affects 500 or more individuals, notifications must be made no later than 60 days after the breach was discovered.
4. Security Incident Procedures
Security incident procedures must address how to identify security incidents and provide how the incident is reported to the appropriate individuals within the practice and to law enforcement, if necessary. Procedures must describe how workforce members respond to an incident. This can include preserving evidence; mitigation, if possible; how the incident was caused; documenting the incident and resolution; and ongoing evaluation as part of the risk management plan.
5. Audit Control and Logs
As part of overall technical safeguards, there is a requirement for a practice to implement hardware, software, and procedural devices that record and examine activity in information systems that utilize ePHI. An information system activity review of logs or reports must routinely occur to validate if any ePHI is used or disclosed in an inappropriate way. This is a vital piece to access control monitoring.
Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.
His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans. The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft.
Sign up for my monthly Help with HIPAA Newsletter