The Health Insurance Portability and Accountability Act (HIPAA) dictates healthcare standards for how protected health information (PHI) is handled and safeguarded. The Department of Health and Human Services (HHS) estimates that 70% of organizations are not HIPAA compliant. There’s a lot of confusion on who needs to be HIPAA compliant, but the easiest way to explain this is if you are dealing with PHI in any capacity, you need to be HIPAA compliant.
As such the following are recommendations based on recent HIPAA audits, that healthcare organizations should implement in order to be HIPAA compliant.
- Avoid making the same mistake as others by analyzing past HIPAA audits
There are common mistakes hospitals and healthcare facilities are making in regards to HIPAA law that are listed in HIPAA security reviews. The most common violations are related to the handling of PHI. This is through the lack of safeguards protecting PHI, incorrect use or disclosure of PHI, disclosure of more than the minimum necessary PHI, lack of patient access to PHI, and insufficient administrative safeguards on ePHI.
- Risk assessment and gap analysis
It is essential to conduct risk and gap analysis’ to ensure your HIPAA compliance. The HHS requires organizations in healthcare to perform a risk analysis annually to maintain their HIPAA compliance. A risk analysis relates to an organization’s security measures. Conducting a risk analysis allows the organization to identify the vulnerabilities that could compromise the availability, integrity, and confidentiality of electronic personal health information (ePHI).
In turn, a HIPAA gap analysis measures an organization’s information security against HIPAA standards. This is also a requirement mandated by HIPAA that many organizations fail to do. Conducting a gap analysis allows an organization to identify their security program’s strengths and weaknesses. Once the gap analysis is completed, the organization is able to identify where the administrative, technical, and physical safeguards may be lacking in regards to protecting PHI.
A gap analysis also allows an organization to create an audit response toolkit. The audit response toolkit contains data and the documentation required to prove your HIPAA compliance in the event of a HIPAA audit.
- Action plan and response toolkit
The Office of Civil Rights (OCR) is responsible for investigating HIPAA violations. In the event of a HIPAA audit, the OCR will contact the organization in question, and ask for data and documentation proving your HIPAA compliance. The OCR will use this information to create a preliminary report of their findings, giving the organization the opportunity to respond before executing their final report.
The final report will identify whether or not the organization is HIPAA compliant. If it is determined that the organization is not HIPAA compliant, the OCR will identify where the problems lie. The non-compliant organizations will be provided with technical assistance and a corrective action plan, in order to attain HIPAA compliance.