Is your office at risk? Are all your business associate agreements (BAAs) in place, and is your office HIPAA compliant?
As promised, and as part of its continued efforts to assess and enforce compliance with the HIPAA Privacy, Security and Breach Notification Rules, the Health and Human Services (HHS) Office for Civil Rights (OCR) continues to push forward with audits of covered entities and their business associates. The HIPAA audit enforcements for 2017 are moving rapidly across all spectrums of healthcare, and settlements have ranged from $31,000 to $5.5 million. HIPAA established these important national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH) breach notification requirements to provide greater transparency for patients whose information may be at risk.
Size Doesn’t Matter
These audits are not limited to hospitals or large entities; small organizations are also under review. On April 20, 2017, a small healthcare provider, the Center for Children’s Digestive Health (CCDH), paid $31,000 to settle a potential HIPAA violation and implementation of a corrective action plan due to lack of a BAA with a record storage company. This is just one example of the work the OCR is doing to demonstrate the importance of implementing safeguards for electronic protected health information (ePHI).
What You Should Do & Why
It is vital covered entities put measures in place to safeguard ePHI, but it is even more important that all entities act on those measures. The OCR warns entities that access to ePHI must be provided only to authorized users, including affiliated physician office staff. By implementing audit controls and reviewing audit logs regularly, providers can help stop hackers and prevent hacking incidents.
Under HIPAA, practices must also create a compliance plan and conduct a risk analysis to assess the risks and vulnerabilities in their ePHI environment. They should then implement corresponding risk-management plans to address the risks and vulnerabilities identified in the analysis.
The Cybersecurity Issue
A new HHS report finds healthcare cybersecurity is in “critical condition” and healthcare provider organizations are at greater risk of cybersecurity breaches than any other type of organization. A healthcare task force released its findings in the Report on Improving Cybersecurity in the Health Care Industry. The report reveals that, due to lax cybersecurity protocols, practices and hospitals are being actively targeted by criminal hackers. Patient information can provide valuable data to those who have reprehensible purposes, such as fraud and identity theft. Practices should continue to define and streamline operating systems to address and/or prevent vulnerabilities.
For More Information
Practices are encouraged to take actionable steps to avoid risk. For more information and alerts, visit the HHS health information website or contact the ACR Practice Management Department for HIPAA training and education.