HIPAA Audit Protocols
HIPAA Audit Protocols
The Protocols for Auditing HIPAA Covered Entities
The latest HIPAA audit protocols were published by the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR) in March 2013 when the Final Omnibus Rule enacted provisions within the Health Insurance Portability and Accountability Act (HIPAA) to safeguard the integrity of protected health information (PHI).
The HIPAA audit protocols are very thorough – consisting of 169 modules which analyze the processes, controls and policies relating to privacy, security and breach notification. Not all the modules will apply to every HIPAA covered entity – the areas assessed will depend on the entity´s nature of business – but it is as well to be familiar with the areas at which the protocols for auditing HIPAA covered entities are targeted:
- The HIPAA Privacy Rule – specifically notice of privacy practices for PHI, patients´ rights to request privacy protection for PHI, the access of individuals to PHI, administrative requirements, uses and disclosures of PHI, the amendment of PHI, and the accounting of disclosures.
- The HIPAA Security Rule – specifically the requirements created in the administrative, physical, and technical safeguards. These three safeguards cover every element of how PHI is stored and transmitted, including risk assessments and the development of messaging policies.
- The HIPAA Breach Notification Rule – specifically how to determine if a breach of PHI has occurred, under what circumstances it should be reported to the OCR, who else the breach should be reported to and what to do in the event of a breach by a Business Associate.
Many of the new protocols for auditing HIPAA covered entities were introduced due to the increasing volume of personal mobile devices in the workplace. According to one study, more than 80 percent of physicians use a personal mobile device to access or communicate PHI. The OCR reports that the loss or theft of a mobile device is the leading cause of patient data breaches.
Complying with the HIPAA Audit Protocols
Possibly the toughest elements of the HIPAA audit protocols are those within the Security Rule. These required that safeguards exist to prevent unauthorized physical access to PHI stored on hardware devices (including USB flash drives), that the communication of PHI is secure, and that policies are put in place to inform employees of how PHI should be communicated – and the sanctions if a breach occurs.
The most practical way in which to comply with the HIPAA Security Rule – and thereby the HIPAA audit protocols – is with the implementation of secure messaging solution. Secure messaging solutions maintain encrypted PHI in a cloud based environment, limit the communication of PHI to within an organization’s private network and has administrative controls to monitor usage of the solution.
Secure messaging solutions are easy to implement – as the apps via which authorized users access and share PHI have a familiar text-like interface that users of commercially available messaging apps will be familiar with. Furthermore, as secure messaging solutions use cloud based “Software-as-a-Service” platforms, there is no need to purchase servers or hardware, or to strain the resources of an IT department to implement a complicated software program.
An Example of How Secure Messaging Solutions Assist Compliance
One of the protocols for auditing HIPAA covered entities is §164.530 – “A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of standards”. Secure messaging solutions address this requirement in a number of ways, including:
- Safeguards are in place to prevent PHI being sent outside of an organization´s private network, copied and pasted, or saved to an external hard drive.
- Message lifespans can be assigned to messages in order that they “self-destruct” upon being read or after a pre-determined period of time.
- Automatic log offs (also required under §164.312 of the Security Rule) prevent unauthorized access to PHI is a desktop computer or mobile device is left unattended.
- Administrators can remotely retract and delete messages, or PIN-lock a secure messaging app of a mobile device is lost, stolen or sold on.
In addition to these safeguards, all PHI is encrypted to NIST standards both at rest and in transit. This means that, if a breach of PHI did occur, the risk of patient data being compromised will have been mitigated. Under these circumstances it is unlikely that a healthcare organization or Business Associate would be fined heavily by the OCR or subject to civil action by patients whose PHI had been accessed.
Additional Benefits of Secure Messaging Solutions
In addition to safeguarding the integrity of PHI and helping healthcare organizations meet the requirements of the protocols for auditing HIPAA covered entities, the implementation of secure messaging solutions has produced benefits for healthcare organizations in terms of increased productivity and the level of healthcare being delivered to patients.
Delivery notifications and read receipts are just two of the features which help to eliminate phone tag and allow medical professionals to allocate their resources more productively. The ability to prioritize messages within one convenient inbox allows physicians to streamline their workflows and deal with urgent healthcare matters before responding to less important issues.
Other benefits of implementing a secure messaging solution to comply with the requirements of the HIPAA audit protocols include:
- Efficiently managed patient admissions
- Greater message accountability
- Accelerated delivery of test results
- Secure collaboration regarding a patient´s treatment
- Effective escalation of patient concerns
- Fast confirmation of prescription orders
Outside of a physical medical facility, emergency personnel and on-call doctors can receive patient data on the go with secure messaging. Home healthcare professionals and community nurses can request physician consults with secure messaging, and telemedicine practitioners can provide treatment for their patients from distance without risking a breach of PHI.
OCR Compliance Assessments on their Way
In February 2014, OCR announced that it was to survey 1,200 healthcare organizations and Business Associates as the first step in the next round of HIPAA audits. The survey will collect data relating to patient visits, the use and sharing of PHI and business revenues in order to assess the “size, complexity and fitness of a respondent for an audit”.
In the last round of compliance assessments, many HIPAA covered entities failed to meet the protocols for auditing HIPAA covered entities as they were unaware of what the requirements were. Those still unaware of the HIPAA audit protocols should visit the OCR’s website and read up on the performance criteria.
With the OCR having to authority to impose substantial financial penalties on covered entities which fail inspection by OCR auditors should a subsequent breach of PHI occurs, it is vital that healthcare organizations and Business Associates make themselves aware of the measures they have to take to protect the integrity of PHI and pass an OCR compliance assessment.