5 steps to prep for an OCR audit

Towing the PHI Line
By Benjamin Harris
01:45 PM

This is going to be a big year on many health IT fronts: ICD-10, meaningful use, BYOD polices, the list goes on. It is also going to be the year where the Office of Civil Rights (OCR) plans to step up their compliance audits of hospitals in a crackdown on personal healthcare information (PHI) breaches. 

"They're going into 2013 with a lot more vigor right now," says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC), about OCR's approach to PHI audits. "Basically they're putting the industry on notice."

Barrett spoke to Healthcare IT News about some important factors to consider as hospitals move in to the new year, keeping an eye to a possible audit and better data handling and security overall.

1. Assure compliance with HIPAA/HITECH provisions of security, privacy and confidentiality of PHI. Every hospital necessarily is a big place when it comes to PHI. Sensitive information that is critical to a patient's outcome and to the hospital's reimbursement travels through many hands during treatment. There are standards in place that an organization can adhere to to protect this information- HIPAA and HITECH most notably. Still, keeping track of the information, making it accessible to the right people at the right time while protecting it from breach, loss or theft can amount to a full job. "It's important for organizations to look across the entire infrastructure, creating what I would call a security framework for PHI," says Barrett, who stresses the need to take a holistic view of information transfer. "Look at it from the standpoint from how information is flowing from al stakeholders and points," he says. With increased audits on their way, Barrett says the need for accountability and having someone to oversee compliance is a sound investment. "Somebody needs to have responsibility," he says. "You need a PHI safety officer to make sure [you] meet compliance. ... Organizations need to be positioned to be able to address an audit."

2. Conduct risk assessments, implement strategies. There are risks and snags lurking everywhere in a hospital's communications structure. From how data is stored to how it makes its way from device to device, there is plenty of room for error, an overlooked weak point, or hole in the system's armor. "Organizations need to understand their risk structure," says Barrett. He talks about identifying any and all potential weak spots, and then tackling the respective security of each one. "Is the PHI available in databases? If so, which things are? Is there high risk data on workstations and laptops? Which ones?"

Any number of factors, if overlooked, can lead to a loss of PHI. "Look at things like facility access controls, workstation use and security, device and media controls," says Barrett. With portable devices such as laptops, tablets, and flash drives, he says to look at "How is hardware removed and how is it audited?" Barrett notes that even after these gaps are plugged, vigilance is required: what happens when a new IT system is acquired, or if a separate branch merges with the organization? Additionally, healthcare organizations contract with many outside groups, and Barrett says part of a good security policy looks closely at those interactions. "Ensure that all data is encrypted and transferred over secure communications lines," he says.