6 Foolproof ways to avoid failing a HIPAA audit

All it takes is a stolen or lost laptop, a malware attack, a physical break-in at the office, or a misspelled email recipient, and your company faces up to millions of dollars in fines for violating HIPAA.

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, requires healthcare providers and their business associates to keep medical information private and protected at all times. Entities covered by HIPAA need to pass their audit; otherwise, non-compliance can cost a pretty penny -- in 2017 HIPAA fines totaled more than $19 million; as of June 2018, they are nearly at $8 million.

Penalties have been increasing since the Department of Health and Human Services’ Office for Civil Rights (OCR) finished their HIPAA Phase 2 Audits in 2016. Although they canceled their comprehensive on-site audits in 2017, the OCR plans to continue its audit program in 2019. It may sound depressing, but these events provide plenty of information to help you learn from the lessons of the past audits. Here are some takeaways:

Make sure your Risk Analysis is accurate and covers the whole organization

Performing an organization-wide risk analysis is your company’s first step towards HIPAA compliance. But past audits reveal that many companies underestimated its scope and left out major systems in the analysis. Have everything covered, or else the gaps will show up at your HIPAA Audit.

Have Business Associate Agreements with ALL your business associates

Many past HIPAA fines were due to companies failing to secure proper Business Associate Agreements (BSA) with their contractors and subcontractors. If you need to disclose protected health information to third parties whom you employ, then you must enter into a HIPAA-compliant BSA with them. If you are unsure who falls under the category of “business associate,” see the examples listed here.

Safeguard all ePHI transmissions with encryption

Protected health information (PHI) is most vulnerable to hackers when it is shared and transmitted over the Internet. Make sure you encrypt PHI whenever it leaves your databases, especially when sending to portable devices like laptops or smartphones. No exceptions.

Keep all your software updated

Certain malware and ransomware packages exploit vulnerabilities in outdated software programs, including operating systems like Windows 7 and XP. Protect your system by constantly updating all your software.

Keep PHI safe from unauthorized disclosures

Not all threats to PHI are online. Numerous HIPAA violations involved the improper disclosure of information, usually from people within your company. Two of the most frequent causes of unapproved disclosures are:

• Threats from insiders -- Usually a disgruntled employee is all it takes to leak information to unauthorized parties. Make sure you revoke access to PHI when an employee resigns or is terminated.
• Faulty disposal of PHI -- The most common mistakes are the simplest. One of the top issues in the Phase 2 HIPAA audit was the improper disposal of PHI. Make sure hard copies, CDs and DVDs, thumb and hard drives, and other sources of PHI are shredded, deleted, or destroyed completely, leaving nothing in the trash for scavengers.

Have a comprehensive Incident Response Plan in place

HIPAA compliance includes preparing for the worst. Make sure you have a full post-breach plan, with sufficient backups and contingencies in place. And the second you know the details of a breach, make sure to notify the proper parties. Some companies suffered fines for exceeding the 60-day deadline of the HIPAA Breach Notification Rule.

The truth is, HIPAA compliance requires a lot of time, effort, and resources. There’s just no getting around it. To be a successful healthcare company (or business associate), you must keep your clients’ data safe and secure. A managed services provider like Online Computers can take that burden off your hands with our IT solutions.

Clinics, health insurance companies, HMOs, and other similar businesses in Northern New Jersey have relied on our extensive experience in healthcare IT services to ensure that they are HIPAA-compliant at all times.

You keep your patients healthy, we’ll keep your technology healthy. Contact our experts today.