If you work in the healthcare industry, you have heard the term HIPAA. Many healthcare professionals understand the basics of HIPAA, but few know what is required to fulfill HIPAA requirements and to be “HIPAA compliant.” This is especially concerning because organizations that don’t understand are neglecting to prioritize their security and compliance. This leaves them vulnerable to a breach and/or audit that could result in significant fines.
There is a lot of confusion in the marketplace today about HIPAA. To help organizations wade through the complexities of HIPAA and completing a security risk assessment, we wanted to walk through a few common HIPAA pitfalls and how to avoid them.
“We are too small to be audited by the Office for Civil Rights (OCR)”
Many organizations think that because they are small, they won’t be audited by the OCR. However, that isn’t the case. We are seeing organizations of all sizes being audited by the OCR and, more recently, by State Attorneys General. There are more resources being assigned to the enforcement of HIPAA compliance meaning it is getting more difficult to “fly under the radar.”
Not only are organizations being randomly audited, they are being audited because of whistleblowers, patient complaints and security breaches. In fact, if an organization experiences a breach that affects more than 500 patients, that breach must be reported to the OCR and posted on the Breach portal. (More lovingly known as the “Wall of Shame.”) One quick look at the list and you can see small, medium and large organizations listed along with health plans and business associates.
We have found that organizations that are complacent with their HIPAA compliance and cybersecurity are typically the ones that experience multiple breaches. These breaches result in repeat notifications to patients, loss of trust, reputation and fines.
“A checklist will suffice for my security risk assessment”
While a checklist would be nice, it is not going to cut it because it doesn’t help you identify where there may be gaps or threats in your organization. A full security risk assessment is required to help you identify threats, assign risk, put together a remediation plan and create a final report for documentation and continued remediation. By completing a full security risk assessment, you can see exactly where your organization may be vulnerable, allowing you to put a plan in place to fix those risks and vulnerabilities.
A checklist would be similar to leaving your house unlocked. You know it is unlocked but you haven’t documented or communicated what risks and threats are. A security risk assessment would tell you your door is unlocked, let you know how many people have walked into your house, what might have been stolen and what security system you should install to fix the situation and prevent it from happening again.
“I only need to complete a risk assessment once”
A common misconception is that organizations only need to complete a security risk assessment once. While that would be convenient, it is not enough to ensure your organization is sufficiently protecting ePHI. With each change in software, personnel, computers and the like, there needs to be a re-evaluation on how it affects the security of ePHI. It is required that any organization that handles PHI or ePHI complete a security risk assessment on an annual basis.
Just like you need to complete your taxes every year, the HHS Office for Civil Rights requires organizations complete a security risks assessment each year. Additionally, if you are participating in an EHR incentive program (e.g., EHR Interoperability, MIPS, MU) you are under even more scrutiny. Prioritizing your annual security risk assessment is not optional, it is required.
Closing Thoughts
HIPAA compliance is often looked at as complex and overwhelming. While there are a lot of regulations involved, compliance boils down to answering one question, “Is your organization adequately protecting ePHI?” Completing a security risk assessment each year helps you answer this question.
The great news is you don’t have to do your HIPAA compliance alone. The HIPAA One and Intraprise Health team is committed to helping organizations simplify and automate their HIPAA compliance by reducing the administrative burden of conducting and maintaining a HIPAA security risk assessment. The HIPAA One® software leverages a step-by-step “Turbo-Tax”-like approach and guarantees passing any audit so regular people can successfully do HIPAA.
We know a breach or audit is no laughing matter. It can cost an organization thousands of dollars. Money organizations don’t have to lose. If you haven’t yet completed your 2019 security risk assessment, it isn’t too late! Don’t leave your organization at risk. Protect your ePHI and strengthen your security posture by completing your HIPAA security risk assessment.