For newcomers to HIPPA, Health Insurance Portability and Accountability Act, be sure to see our Introductory Guide to HIPAA compliance. Some terminology in this checklist assumes that you have knowledge of HIPAA already.
Audits are almost always a stressful time for even the most prepared among us. The Health Insurance Portability and Accountability Act, known among practitioners as HIPAA, holds organizations accountable for the security and privacy of health data. The U.S department of Health and Human Services (OCR) is responsible for rule enforcement and ensuring compliance. The first round of HIPAA compliance audits found that many organizations in the healthcare industry were having a difficult time implementing the necessary technology, plans, and talent to meet compliance.
Zinethia Clemmons, who was the OCR Compliance Audit Program Director charge of Phase 1 HIPAA audits, said:
“That roughly 66% of organizations audited did not have the necessary risk assessments in place to meet compliance.”
Preparing Yourself: Best Practice Checklist
At the core of HIPAA audits is an organization’s documentation. With documentation auditors are able to see just how much effort is being put into meeting compliance. Additionally, security documentation can help organizations establish a security baseline which can be used to establish standards for work processes, training, and risk assessment. Underlying all of the recommended best practices below is clear documentation which will be discussed as one of the practices.
Complete and Continuous Documentation
You documentation should answer some key questions about your operation. Such question might include: how secure is your organization? What are your security risks? Do employees understand how to safeguard personal health information? What are your authorization processes? Is BYOD a practice in your organization and how does it impact security? Who is responsible for what data?
These are just a few questions, but if you are keeping track of events on your system and policies you should be able to answer these. Software such as Teramind is able to help with the collection and documentation of all events that happen on your system. Additionally security software helps with producing HIPAA compliant reports. Here is a sample list of what documentation you will need to collect:
- Current Security Goals
- HIPAA Risk Analysis
- Risk Management Plan
- Personal Health Information Locations (Data Flow Charts)
- Vendor Management Policies (Business Associates)
- Notice of Privacy Practices
- Enforceable Consent Agreements
- Incident Response Plan
- Device Policies & Procedures
- Training Logs
- HIPAA Compliant Processes & Procedures
- Device Inventory
- Business Associate Security Requirements
- List of Vendors
- List of All Employees and Their Access to Data
- Continuity Plan
- Policies and Procedures for all three rules
Incident Response Plan
It is of the utmost importance that organizations have an incident response plan in place. These plans usually include an assessment of the threat environment, data asset identification, scenario responses, key roles, key responsibilities, response tools, stakeholder alert process, media notification, and a review process. These plans require a strong relationship with your security processes and your data. If for example you do not know what types of data are flowing in and out of your organization, then any plan will be ineffective. An incident response plan is part of a larger program called an insider threat program.
Continuous Employee Training
Among many cyber security professionals and even HIPAA auditors, people are the weakest security link when it comes to safeguarding health data. It is for this reason that staff need to be trained regularly about not just cyber security but also HIPAA requirements. Training should be effective and measured for progress. If showing powerpoints alone is not producing any behavior changes or reducing behavior risks then you may need to include a stronger mix of learning tools. Staff should understand acceptable use of PHI, social media compliance, password safety, phishing attacks, social engineering attacks, physical security, and proper data disposal.
Business Associate Contracts
This could also be called vendor management, in regards to HIPAA compliance you will need to demonstrate to auditors that you are responsibly sharing patient data. The most critical aspects of your vendor contracts need to include the following:
- Mandatory Minimum Data
Your business associates should not have access to more data than is necessary to perform their agreed tasks with you.
- Clarification of Usage
Covered entities need to make clear what, where, and how PHI is to be used by business associates. In short, you need to clarify permissible data usage and prohibited usage. If this is not clarified in the contract then auditors will question how you are holding your vendors accountable with the PHI they have.
- Sharing Notice of Privacy Practices
Covered entities need to include and ensure that business associates are adhering to the privacy practices of the covered entity. So it is wise to include a notice of privacy practice in the contract.
- Security Practice Requirements
Covered entities need to ensure that their business associates have the proper security capabilities in place to protect the PHI they will be handling.
- Breach Notification Requirements
Ensure that business associates are clear that when a data breach does occur they need to notify the covered entity immediately.
- Termination Practices
Once a contract is finished you need to clarify to business associates how and when data is to be either returned or destroyed in a responsible manner.
Risk Analysis Procedures & Management Planning
One of the most important factors in your audit will be how seriously you are considering your security risks. This is why identifying what cyber threats can take advantage of vulnerabilities in your organization is so important. Make sure you list all employees who have authorized access to PHI. Make sure to map out the flow of PHI across your network diagrams. These visualizations help auditors to know that you understand where and how PHI flows in your organization. It is also good practice to ensure that these maps are accompanied by a list of each server and device with access to PHI.
Once you have that it good practice to have a prioritized list of risks based on the possibility of it happening and the impact it would have. For the management side make sure you have a list of vulnerabilities and the security controls to address them. Document any failure to implement security controls for a vulnerability.
One way to be confident of your position is to find the flaws yourself first. Organizations need to perform regular (at least every quarter) audits on themselves. When conducting an internal audit it helps to work with a third-party security firm for a set of fresh eyes on your processes, management, and documentation. Passing your own self-initiated audits will make sure you find vulnerabilities and address them in full before a real audit comes around.
Insider Threat Program
In 2017, the rise of ransomware took the world by storm and the HHS responded with guidance to US healthcare organizations. Essentially ransomware is considered a data breach under the Privacy Rule. Ransomware prevention is insider threat mitigation. Ransomware and other cyber attacks are often successful due to negligent insiders. If you want to pass your audit, make sure you have an insider threat program established. Insider threat programs work to establish a certified source of information, protocols, and mechanisms to detect, prevent, and respond to insider threats. Included in a full insider threat program should be: mission, detailed budget, governance structure, and a shared communication platform. Additionally you should include:
- Compliance and Process Oversight Board
This group exists to review as-is work processes for the organization and recommends changes to prevent insider threats before a data breach occurs. For HIPAA auditors this demonstrates an ongoing effort to meet compliance
- Confidential Reporting Mechanisms
Office politics, clique behavior, and a host of other factors can prevent an employee from reporting suspicious behavior. This is why reporting mechanisms of suspicious insiders need to be made confidential to prevent any retaliatory action against whistleblowers.
- Specialized Training
The insider threat training details an awareness and training program for all personnel in the organization. However, people directly involved in the Insider Threat Program will receive even more specialized training to better detect and mitigate insider threats.
This component is straight forward, it is simply infrastructure to detect, prevent, and respond to insider threats. Does the technology that supports management’s effort to achieve its mission of preventing insider threats?
There are in total about thirteen components to a typical insider threat program. The other ones not listed include: civil liberty protections, communication framework, supporting policies, data collection tools, vendor management, and risk management integration.
One thing you may have noticed is that if you have an insider threat program then you likely have hit most of the “best” practices listed in this article. Security has increasingly required organizations to take into account not just perimeter security but also the threats from trusted individuals as well.
HIPAA audits can be one of the most stressful times in your organization. They usually come up at times when stress is already high. Your best bet is to be in the best security position possible which is not just a matter for IT but also good management practice and understanding of security beyond compliance. Click below to learn more about Teramind.