Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK

Transcription

1 Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK

2 Are You Ready? For nearly four years, official HIPAA compliance audits have been on hold. The Department of Human Services (HHS) Office for Civil Rights (OCR) conducted pilot audits from 2009 when the audits became part of the HITECH Act, until 2012 when that program ended. Since then, OCR has been silent. That all changed recently when the OCR released an updated protocol for use in phase two HIPAA compliance audits beginning this year. According to the OCR website, the revised audit protocol covers nearly 180 target areas including: Privacy rule requirements for: Notice of privacy practices for PHI Rights to request privacy protection for PHI Access of individuals to PHI Administrative requirements Uses and disclosures of PHI Amendment of PHI Accounting of disclosure Security rule requirements for administrative, physical, and technical safeguards Breach notification rule requirements 1 In an interview during the HIMSS 2016 conference, Deputy Director of Health Information Privacy Deven McGraw revealed the OCR will be conducting 200 remote desk audits focused on a subset of HIPAA mandates along with 10 to 25 full scale on-site audits. 2 Should you be one of the selected entities, are you prepared for the intense scrutiny of an OCR HIPAA audit? Whether gearing up for an official audit or simply looking to upgrade your organizational security program, preparing for a potential OCR investigation can provide an effective security roadmap. 1 HHS.gov Health Information Privacy web page 2 OCR Releases New HIPAA Audit Protocol, by Marianne Kolbasuk McGee, Healthcare Info Security, ISMG Network, April 5,

3 Here are seven steps you can take to enhance your preparedness: 1. Develop Your Strategy Most organizations have a Compliance Department that s responsible for HIPAA policies and processes involving PHI access and usage. In order to guide this group, your organization should start with an overall corporate strategy that addresses every aspect of compliance. The strategy should center on securing and encrypting PHI at three stages: data sending, data receiving, and data at rest. You need to be able to prove to auditors that you have effective firewalls surrounding all EMR systems during all three phases. A comprehensive strategy provides the framework to build your overall compliance program. 2. Implement a Monitoring Program To ensure security of PHI, many organizations have implemented surveillance of all information moving in and out of the organization. Setting up filters for key phrases can capture communication that contains or refers to PHI and alert the compliance group to private information that may be going outside your organization s walls. Compliance can then follow up with the individuals involved to investigate and resolve the issue. 3

4 3. Tighten Your User Account Management During any review, auditors will look at every application that contains PHI and how that information is accessed. Questions they will ask include: Does the person have rights to get to the records they are accessing? Do they require a user name and password? Do they have a reason to be in that record? - Are they providing direct patient care, consultation services, or are they doing billing? Does each user have an assigned security level based on job type and responsibilities that determines how far and how much information they can get to? There should be a time stamp system that documents who has accessed the system at every point. Limit access on an as needed basis and be able to prove those controls to the auditor. There should be very few people with access to the entire system. You also need to be able to show that you are expiring accounts appropriately. Implement a process for deactivating accounts of terminated employees and ensuring the account privileges of contract employees get terminated at the end of their engagement. To ensure audit compliance for system access, run reports daily on system access activity. Managers should receive a report yearly detailing all employees that have access to clinical information and be required to validate whether each individual still needs access to the system. If they can t prove that they need access, they should be removed from the list. Auditors want to see that there is constant surveillance of access protocol so you need to put systems in place to make sure that is happening on a regular basis. 4

5 4. Protect Your Desktops Auditors understand that one of the most vulnerable points of any security system is the desktop so that should be a particular security focus area. Every desktop computer that has a hard drive should be encrypted and every USB port must be blocked. Any clinical workstation that might have PHI must be protected. Other ways to secure your desktops include deploying virtualization to eliminate all hard drives, instituting strong password requirements, using dual authentication, and utilizing obscure screen, auto logoff, step down PINs, and re-authentication windows. Implementing single sign on (SSO) allows you to mitigate multiple applications and the passwords behind the scenes so you re not exposing them to anyone. 5. Implement an Internal Auditing Program An effective way to ensure you are ready for a third party audit is to implement a multi-level internal audit program. The Compliance team will conduct audits on a real-time interval basis. Network and Desktop services groups should regularly audit their IT systems to ensure all passwords are appropriate and all patches are up to date to protect against both internal and external attacks or viruses. Performing unannounced internal audits is one of the best ways to ensure that your organizational processes are documented and being followed. Conducting annual intrusion testing is another effective way to determine that you are ready for an external audit. Some organizations have security teams that hire hackers to come in and see how far they can get into the system to evaluate whether they are appropriately handling system security. 5

6 6. Highlight Exceptions A key element of your internal audits is to highlight exceptions that you uncover. Run reports on activity in every environment to confirm that all the security measures you ve implemented are in place. Exceptions or findings should be listed and investigated so you can initiate appropriate corrective actions. Develop a monthly security dashboard to share active security projects, as well as discovered vulnerabilities and how they are being addressed. This information should be reported to senior management and the board of directors. Showing external auditors that you re being completely transparent when it comes to security is an important step in successfully passing an audit. 7. Stay Vigilant Preparing for a HIPAA audit is not a static, one time event. There needs to be an ongoing process of checking and follow up. In today s environment where security has taken on such prominence, your organization must be in a constant state of surveillance. The number of attacks on healthcare systems has increased to a level where you can t lower your guard at any time. You need to constantly evaluate your system to make sure all vulnerabilities are secured. Being ever vigilant will not only help you prepare for a HIPAA audit, but more importantly, will ensure that your PHI is protected and secure. Aventura s Sympatica is a flexible, situational awareness platform for highly secure, personalized clinical desktops. Sympatica provides stand alone computer access security through two factor authentication or Pin and go capability and is an ideal solution for organizations that use control/alt/del open desktops or open desktops with no other security. Contact us to learn how we can help you improve your security program. 6

7 7 About Aventura Aventura leverages situational awareness to deliver a highly secure, personalized clinical desktop. With security, personalized desktop and interoperability functionality, Aventura s Sympatica platform is a flexible, modular offering that fits every operational need and budget. Choose from three levels of functionality to solve a specific issue or leverage all three for a complete, integrated clinical desktop solution.

8 CONTACT US Office: 1641 California Street, Suite 400 Denver, CO Phone: