Gearing Up for HIPAA Compliance Audits in IT, Part 3: Security Risk Analysis
With HIPAA audits getting underway this year, Covered Entities are starting to ask, “What do I need to do to get ready?” As the president of an authorized Konica Minolta printer and copier company, I am asking that question, too, because the equipment we sell and service may eventually hold PHI (protected health information).
As a Business Associate of many Covered Entities in Northeast Ohio – including hospitals, physician offices, clinics and more in Canton, North Canton, Akron, Youngstown and beyond – the team at Graphic Enterprises recognizes the importance of performing a HIPAA security risk analysis (in fact, the Security Rule requires it), as it pertains to our customers and equipment.
To get everyone in our organization on the same page, we’ve devised this introductory checklist. Of course, as we get a better grip on this whole process, this checklist will probably change somewhat. However, I hope by sharing it, we can help you get started with your own HIPAA risk analysis.
- Start with the basics. Under HIPAA, providers are required to review and update all policies, procedures and protections surrounding PHI. If you do not have a policy, now would be a very good time to draft one and have it scrutinized by legal counsel.
- The buck stops here. Designate someone in your organization to lead the risk assessment and, subsequently, the risk management process. This person should have a good understanding of both the technical (I am talking about systems) and the non-technical aspects of health care compliance.
- Examine the flow of PHI in the real world. Things always look good on paper, right? But, what path(s) does patient information follow in your office or organization on a day-to-day basis? There are three key areas you should be scrutinizing for threats, vulnerabilities, risks and exposures: administrative procedures, physical safeguards, and technical standards and mechanisms. The U.S. Department of Health and Human Services (HHS) provides recommendations in its document, Guidance on Risk Analysis Requirements Under the HIPAA Security Rule. Just a bit of fun bedtime reading, right? (Hint: you will want to do a deep dive into the sections that talk about addressable controls.)
- Create a spreadsheet. I love a good spreadsheet for keeping track of all the details of my business, and there are sure to be many, many details involved in this HIPAA risk analysis. You will need a good way to keep track of them.
- Carefully scrutinize business associate contracts. At the end of the day, a Covered Entity is responsible for patients and their PHI. So, you want control over any PHI you may need to give a business associate, as well as legal recourse should the business associate allow a breach. Every business associate contract should contain an indemnification provision. Again, I recommend that you seek legal counsel on this issue.
- Document everything. Need I say more? This will be especially important when you complete the assessment and begin the management part.
- Keep things fresh. This is not a set-it-and-forget-process. You may have no way of knowing when you will be audited by the OCR. Therefore, you need to make sure you complete a risk analysis and management process at regular intervals, just in case.
Let me know how your HIPAA audit preparation is going. I welcome your comments and input. After all, we are all new at this.