7 steps to pass, or better yet avoid, an OCR security audit
The U.S. Department Health and Human Services’ Office for Civil Rights is responsible for auditing and enforcing compliance with the HIPAA security and privacy regulations, as well as the additional rules and clarifications contained in HITECH.
OCR enforces privacy and security rules through compliance audits, education and outreach, and subsequent fines or mitigation expenses. OCR also works with the Department of Justice on possible criminal violations.
An OCR audit usually is triggered by one of two events: Either a complaint has been filed against the practice by a patient or an internal whistleblower, or the practice has reported a breach to OCR.
“Breaches affecting 500 individuals or more must be reported to OCR, in addition to other reporting requirements,” explained Troy Young, chief technology officer at AdvancedMD, a medical office platform vendor.
“However, there’s no direct correlation between the magnitude of a breach and OCR’s fine,” said Young, who recently completed a master’s degree in cybersecurity from Utah Valley University.
Jumbo fines, even for small discrepancies
A healthcare organization can be penalized with a large fine even for the smallest breach if it made no effort to comply with the regulations. This is supported by Department of Health and Human Services’ changes to the HIPAA penalty system in April 2019 setting the annual limits based on the organization’s “level of culpability” associated with the violation.
“Between April 2003 and July 2018, more than 180,000 complaints were investigated by OCR,” Young reported. “Of those, more than 37,500 were what I would consider ‘audited,’ but only 55 resulted in financial penalties. The objective is not really to avoid penalties; it is to avoid the audit or make it as painless as possible.”
"Each month, read a single chapter and take away action items. The next month, read the next chapter, and report on the action items from the previous meeting."
Troy Young, AdvancedMD
So what are steps a healthcare provider organization can take to avoid an OCR audit, or, if not avoid, pass an OCR audit? Young says there are seven steps organizations should take to accomplish this goal.
“As the first step, the organization must educate all staff members on the requirements contained within the Office of the National Coordinator for Health IT Guide to Privacy and Security of Electronic Health Information,” he advised. “The guide discusses providers’ responsibilities under HIPAA; the privacy and security requirements of the Meaningful Use Programs; and approaches for implementing a security management process.”
Gather key staff monthly
The guide has seven chapters. In a practical approach to following the guidance, the compliance leader may choose to assemble key staff once a month, he continued.
“Each month, read a single chapter and take away action items,” he said. “The next month, read the next chapter, and report on the action items from the previous meeting. In this way, a healthcare organization could complete the guide in eight months. That may be easier to learn, retain and implement than trying to do everything at once.”
The remaining six steps are best practices and recommendations covered in the ONC Guide to Privacy and Security, Young said. If an organization follows the guide’s recommendations, it will address all these steps.
“Designate a security officer,” Young advised. “Even small organizations need to select a compliance champion responsible for developing and maintaining security practices to meet HIPAA requirements. This role is responsible for safeguarding the patients’ electronic protected health information from unauthorized access by implementing cybersecurity best practices and coordinating efforts with other leaders such as a privacy officer, practice manager, IT vendor or administrator, and others.”
Policies and procedures
Another step is to review documentation of policies and procedures, Young said.
“Every organization is required to adopt reasonable and appropriate policies and procedures to comply with the security regulations,” he said. “The documentation should cover disclosure of PHI and security measures like encryption of devices, policies for handling printed PHI and patient requests for medical records.”
Chapter 6 of the ONC Guide includes a list of example policies that every organization should have, he added. The organization should periodically review and update documentation based on any industry or organizational changes that might affect the security of ePHI, he said.
Performing a security risk analysis is another key step healthcare provider organizations should take in order to avoid or pass an OCR audit, Young said.
“By performing a risk assessment, an organization can identify compliance gaps and put a plan in place to correct the issues and pass the audit,” he said. “The annual assessment covers physical, administrative, technical and organizational components.”
Talking with vendors
A security officer should review EHR and other software packages, discussing data protection with the vendor, he added. Organizations using on-premise EHRs need onsite staff to maintain and oversee the hardware and software, with regular anti-virus and anti-malware software installations on all computers, daily data back-up, and regular data back-up tests, he advised.
“Another key step is reviewing the operating system and software patching processes for basic security measures, such as strong passwords on routers and Wi-Fi access points,” he said. “Assessing vulnerabilities on network systems, especially unpatched software and misconfiguration of network devices is critical, as is checking server configurations and passwords and making sure patches are current.”
A healthcare organization also can consider hiring an outside security company to perform a HIPAA security risk analysis, he continued. A dedicated security professional can also perform a vulnerability scan to assess an organization’s penetrability, he said.
On another front, healthcare organizations should start creating a risk management plan, Young stated.
“Absence of a security risk assessment or management plan is a common reason for large penalties,” he said. “Healthcare organizations need to create a risk management plan before, not after, a breach occurs. Document risks that come out of the security risk analysis, determine how they’ll be handled, and track progress of remediation efforts. Create a data breach response plan; all breaches must be reported to OCR within 60 days of discovery.”
Review business associate agreements
Also, healthcare organizations should review business associate agreements with all vendors/contractors who have access to PHI, Young said.
“A business associate is any person or organization that interacts with the organization’s PHI,” he explained. “The organization must make sure all business associates perform risk assessments annually. Whether it’s a referring physician, software vendor, laboratory, or medical imaging group who’s handling the records, their breach will also affect the organization.”
Have a good business associate agreement in place – an attorney can help – and demand to know what they’re doing to protect patient records, he insisted. If there are holes in the associate’s security system, understand what they are and the partner’s plan to remediate them, he said.
And finally, healthcare organizations should provide regular HIPAA training to ensure employees are the strongest, not weakest, link, Young advised.
“OCR auditors will ask for proof that the organization frequently communicates with all employees regarding the importance of HIPAA compliance and includes simple reminders for ways the staff can help the organization meet its goals,” he said.
Phishing, passwords and unencrypted PHI
In addition to regular educational sessions on the ONC’s Guide to Privacy and Security, this includes being alert to phishing emails, setting strong passwords and regularly updating them, ensuring information is sent to the correct recipients, and carefully handling unencrypted PHI, he said.
“Data access must be restricted both in-house and throughout the entire process of ePHI transference among authorized parties,” he concluded. “All computer hard drives, especially organization laptops, must be encrypted and handled securely to avoid loss or theft.”
Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.