Short of being audited by HHS/OCR and finding out that your healthcare organization in Greater Boston is in violation of HIPAA, the best way to determine this is to arrange for a HIPAA Risk Analysis by a qualified IT Managed Service Provider who is experienced in HIPAA compliance.
According to HHS:
“Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”
Ask Your IT Provider To Conduct A HIPAA Risk Analysis
The HHS Security Standards Guide outline nine mandatory components of a risk analysis that healthcare organizations and healthcare-related organizations that store or transmit electronic protected health information must include in their document.
1. The Scope of the Analysis
Any potential risks and vulnerabilities to the privacy, availability, and integrity of the PHI, such as portable media, desktops, and networks. Network security between multiple locations is also important to include in the scope of the analysis and may include aspects of your HIPAA hosting terms with a third party or business associate.
2. Data Collection
Where does the PHI go? Locate where the data is being stored, received, maintained or transmitted. Again, if you’re hosting health information at a HIPAA compliant data center, you’ll need to contact your hosting provider to document where and how your data is stored.
3. Identify and Document Potential Threats and Vulnerabilities
Identify and document any anticipated threats to sensitive data, and any vulnerabilities that may lead to leaking of PHI. Anticipating potential HIPAA violations can help your organization quickly and effectively reach a resolution.
4. Assess Current Security Measure
What kind of security measures are you taking to protect your data? From a technical perspective, this might include any encryption, two-factor authentication, and other security methods put in place by your HIPAA hosting provider.
5. Determine the Likelihood of Threat Occurrence
Take account of the probability of potential risks to PHI—in combination with #3 Potential Threats and Vulnerabilities, this assessment allows for estimates on the likelihood of ePHI breaches.
6,. Determine the Potential Impact of Threat Occurrence
By using either qualitative or quantitative methods, assess the maximum impact of a data threat to your organization. How many people could be affected? What extent of private data could be exposed—just medical records, or both health information and billing information combined?
7. Determine the Level of Risk
Take the average of the assigned likelihood and impact levels to determine the level of risk. Documented risk levels should be accompanied by a list of corrective actions that would be performed to mitigate risk.
8. Finalize Documentation
Write everything up in an organized document. There is no specified format for this, but it is required to have the analysis in writing.
9. Periodic Review and Updates to the Risk Assessment
It is important to conduct a risk analysis on a regular basis. While the Security Rule doesn’t set a required timeline, it is recommended for organizations to conduct another risk analysis whenever the company implements or plans to adopt a new technology or business operation. This could include switching your data storage methods from managed servers to cloud computing, or any ownership or key staff turnover.
The HHS says that this guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. And that you (along with your IT provider) should determine the most appropriate way to achieve HIPAA compliance, taking into account the characteristics of the organization and its environment.
Your IT Provider Can Help You Achieve Compliance With These 10 Best Practices
1. Stay up-to-date on the current threats to healthcare data. Your IT provider can help you do this. They are the ones who keep a pulse on data breaches that healthcare organizations like yours are experiencing.
2. Remediate any security gaps in your IT network. You may need to replace aging technology and update your hardware and software. If not, this weakens your IT security posture and endangers your ePHI. Ask your IT provider to conduct regular vulnerability assessments to detect weaknesses in your defense.
3. Maintain a secure IT infrastructure to prevent cybercriminals’ intrusions. Your IT service company can implement Remote Management and Monitoring and Data Intrusion Solutions to detect unauthorized attempts and block them. Ask them about managed security solutions that improve your security posture, quickly identify malicious attempts, and respond to cybersecurity threats.
4. Your IT provider can implement solutions to minimize your risk with:
- Data encryption so your ePHI and EHRs are secure both in transit and storage.
- Multi-factor authentication where your users must use two or more forms of electronic identification to access data.
- Routinely patch and update your software programs to close any security gaps.
5. Utilize enterprise-based security solutions like managed antivirus, firewalls, advanced threat protection solutions, EDR (Endpoint Detection & Response), and DMARC (Domain-Based Message Authentication, Reporting and Conformance) email-validation.
6. Ask your IT provider to hold Security Awareness Training for your staff to help them recognize phishing and other email and online attacks that try to trick them into revealing confidential information.
7. Use audit controls to gain visibility into your ePHI and EHRs. Monitor all access and record all login attempts to respond immediately to unauthorized attempts. Once again, your IT specialist can set this up for you.
8. Keep records on who has access to your ePHI and EHRs, and make sure that any data access is in line with users’ duties and responsibilities. Only allow access to those who need the information and no one else. Your HR department will have a role to play in this respect to advise and notify you when new employees are brought onboard, changes are made in personnel descriptions, and when employees leave your organization.
9. Perform regular ePHI inventories. Also, identify how you use, collect, store and share patient data. You must have a secure method for deleting ePHI. Remember that if you just drag a file to your computer trash can, it still resides on the computer. Ask your IT provider to help you perform regular inventories to determine where on your systems, servers and applications ePHI is stored.
10. Adopt a HIPAA Security Policy for your organization. This should include all aspects of the “HIPAA Security Rule” and your policies and procedures around it. Also, include an Incident Response Plan that designates a person or team to respond, their roles, and the steps they should take if a data breach occurs. (Who to notify including individuals and government agencies as required.)
Don’t wait until HHS/OCR comes to perform a HIPAA Audit and find out that you’re in noncompliance.
Contact Radius Executive IT Solutions for a HIPAA Analysis and help to implement these 10 best practices for HIPAA Compliance.