The Health Insurance Portability and Accountability Act (HIPAA) mandates industry-wide standards for proper management of health care information and electronic billing. HIPAA compliance requires protection as well as the confidential handling of all protected health information (PHI).
According to HIPAA rules, any company that deals with protected information must have a physical network and security measures that are followed to ensure compliance. It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcement, and compliance.
As a result, the number of organizations that fail to meet compliance each year remains high. In fact, according to the United States Department of Health and Human Services (HHS), approximately 70% of organizations are not HIPAA compliant.
To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.
Related content: Are you ready for the HIPAA police?
Three key recommendations to improve HIPAA compliance
1. Analyze the past to avoid making the same mistake twice
It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly observed in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year.
- lack of safeguards to protect health information
- impermissible uses and disclosures of protected health information
- lack of patient access to their personal health information
- lack of administrative safeguards on electronically protected health information
- use or disclosure of more than the minimum protected health information
Protecting valuable data by analyzing past mistakes is an important step in the compliance process.
2. Perform a risk assessment and GAP analysis of your organization’s HIPAA compliance
Preventative measures to use when assessing an organization’s compliance with HIPAA include:
- risk analysis
- GAP analysis.
The confusion and lack of understanding around the two approaches is common among healthcare professionals in the marketplace. Not understanding the differences between the two can be detrimental to an organization. It can put them at a significantly higher risk of a HIPAA violation.
According to the HHS Office of Civil Rights (OCR) guidance materials, healthcare organizations must specifically conduct a risk analysis to be deemed within HIPAA compliance.
–The GAP analysis
A HIPAA GAP analysis can be used to measure the organizations’ information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weakness of the security program.
From there, the organization can determine whether they have reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health. Performance of the GAP Analysis also allows the organization to develop an audit response toolkit. This includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies.
–The risk analysis
The risk analysis is a required control as defined in the audit protocol. Without conducting a thorough and comprehensive risk analysis, a healthcare organization can not identify applicable threats and vulnerabilities that allow them to take corrective action.
Completing a thorough risk analysis provides insight into the organization’s security position. It also allows for change before an audit takes place.
Risk analyses should be updated at least annually to ensure they reflect current operational practices. The risk assessment should evaluate the security, use, and disclosure of PHI against HIPAA’s privacy, security and breach notification implementation specifications.
Related Content: Why HIPAA Needs to Be Updated for the 21st Century
To begin, an organization should document any ePHI (Electronic Personal Health Information) transmitting or processing services. This includes any business associates or employees that receive and use the ePHI.
Related content: What’s Your Business Associates Commitment to HIPAA
It’s important to evaluate all aspects of the organization’s operation to verify all uses and disclosures of ePHI are identified. Don’t assume that your IT shop is aware of all of your uses and disclosures. Make inquire into all of the operational areas of your organization.
3. Develop an action plan and a response toolkit
For many healthcare organizations, the question is not if they will receive a HIPAA audit or an OCR investigation, but when. When this happens, the OCR, the part of HHS responsible for completing HIPAA audits, will contact the organization. They ask for a variety of documents and data in preparation for the audit/investigation.
–Review and Determination
Once these documents and data are reviewed, the OCR will send the organization a preliminary copy of its findings. This preliminary report gives healthcare organizations the opportunity to respond to the OCR. And have their responses included in the final report.
From the final report, the OCR will determine if an organization was in compliance with HIPPA. And, if not, where an organization was lacking. If an organization was not in total compliance, the OCR will provide corrective action. In addition, they will provide technical assistance the organization can use to work toward compliance.
Develop an action plan. And evaluate the organization’s information security against the OCR audit protocol to develop an audit response toolkit. This will leave organizations with practical actions that serve their best interest, eliminate mistakes, and mitigate risk.
In conclusion, utilizing the help of professionals with expertise in
HIPAA compliance is always recommended.
Carol Amick is an experienced healthcare compliance professional with over 20 years of experience in healthcare. After starting her career at HCA she moved on to become a compliance consultant for a “Big 4” accounting firm and has since served as the Internal Audit Director, Compliance Director and Privacy Officer for several healthcare providers. Carol has worked with post-acute care, outpatient, and acute care providers to develop and implement effective compliance programs. During her time as Compliance and Privacy Director, Carol has led numerous investigations into PHI breaches and responded to outside investigations by the OCR, OIG and other regulatory agencies. She has extensive experience in helping organizations ensure compliance with the complex healthcare regulations and with responding to regulatory audits and investigations. She currently serves as the Manager of Health Care Services at CompliancePoint.