The U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) first began conducting HIPAA audits in 2014. The purpose of these audits is to ensure the protection of each individual's personal health information (PHI) by minimizing the possibility of data breaches.
Equipped with the following knowledge, your company can begin to prepare for the assessments in an effort to ensure that you are ready when notified of a future audit.
What is Title II?
Under the HIPAA umbrella of guidelines, there are five sections, perhaps none more important than Title II. The recommendations in this section should be adhered to at all times, and especially when an audit is forthcoming.
So what does Title II cover exactly? This two-fold section covers both the laws and security of PHI, including electronic PHI. Learn more about Title II by visiting this HHS resource.
3 steps to best prepare for an upcoming HIPAA audit
A recent article on HIPAA Compliance Audits written by phoenixNAP Global IT Services, notes that there are several steps to take in preparation for a future HIPAA audit. The below three are requirements and should be undertaken regularly to enhance your probability of achieving a passing score.
Ensure all employees are trained on HIPAA
If employees are not well-informed on the requirements of HIPAA, it may be hard to follow its guidelines. This will not only affect your score during an audit, but it could also put the PHI of your patients at risk.
Create training modules for employees and document their progress and completion. This would immediately demonstrate your commitment to HIPAA compliance with the OCR upon their visit.
Create a risk assessment and management plan
Risk assessments and management plans are a requirement. These plans should look at the entirety of your organization and all possible risks that could contribute to a breach of data. It is a requirement that the risk assessment is recorded in writing and kept in an accessible location.
Though many organizations do as much as possible to avoid potential breaches, they are sometimes inevitable. When danger hits, there must also be a plan to manage the loss, no matter the scale. This plan should also be accessible to all employees dealing with PHI.
Name a Security and Privacy Officer
A requirement under HIPAA's guidelines is that each covered organization is to name a Security and Privacy Officer. Although some may hire an external individual to fill this position, small or medium-sized organizations may opt to name someone internally with an existing role to undertake these additional duties. Overall, this individual will be responsible for the plans surrounding the privacy and security of PHI within the organization.
This person should keep close contact with the IT team to implement measures and monitor new potential threats. They should also maintain detailed records of previous data breaches, and keep all other stakeholders informed of the status of HIPAA compliance in the organization.
What are examples of HIPAA violations?
Perhaps one of the best ways to ensure you always keep PHI safe and remain compliant is to know what certain HIPAA violations include. A list recently compiled by phoenixNAP Global IT Services includes the following examples:
- Sending a text message that contains PHI. Remember to always use an encrypted form of transmission when working with PHI.
- Accessing patient data on a personal mobile device or home computer.
- Failure to remove access of former employees or current employees who no longer need to view PHI is negligent.
- Lacking proper documentation of HIPAA compliance efforts within your organization.
What types of penalties can an organization face for non-compliance with HIPAA?
There are four tiers of penalties when it comes to non-compliance with HIPAA. Wilful negligence is serious, though all categories come with steep fines that can fall in the range of 50,000 dollars up to 1.5 million dollars per violation.
Company Officers can also be at risk for jail time up to ten years and fines of up to 250,000 dollars for each HIPAA related violation.
A recent example from 2017, occurring at the Memorial Health Care System in Hollywood, Florida, further reinforces the severity of punishment for non-compliance. This private healthcare provider, that operates six hospitals, among other specialized treatment centers, was fined 5.5 million dollars for the PHI leak of 115,143 individuals. In this instance, PHI was accessed without permission by its employees and subsequently disclosed without permission to affiliated physician office staff. More about this case can be read at the U.S. Department of Health & Human Services (HHS) website.
Unfortunately, and as recently as 2019, many healthcare organizations are still missing the mark on HIPAA compliance. As phoenixNAP Global IT Services observes, 2019 HIPAA audits were nothing to be proud of. A few interesting notes include:
- Only 14% of the covered entities and businesses scored a 1, the highest rating, for content breach notification.
- Only 1% of the covered entities and enterprises scored a 1 for right-of-access.
- No covered entities and businesses scored a 1 for HIPAA security risk analysis.
Protecting PHI is important on many levels. When there is a breach of data, there is a loss of trust with your patients and the general public, who may not consider your services in the future. Being prepared during an audit will also ensure you do not receive large fines and other penalties.