HHS' Office for Civil Rights recently released the details of round two of its HIPAA compliance audit program, and in this round, any covered entity and any business associate of a covered entity are subject to the audits.
For round two of the HIPAA audits, "OCR is stepping up their game, adding security and audit SMEs to their team of regulators, and covered entities and business associates had better as well," says Mac McMillan, current chair of the HIMSS Privacy and Security Policy Task Force and CEO of CynergisTek. To help prepare for the audits, Mr. McMillan addresses three ways healthcare providers can prepare for the next round of HIPAA audits.
1. Have a valid business associate agreement in place. To maintain HIPAA compliance it is necessary to safeguard patient information when it is within a healthcare organization's four walls and when it leaves the facility. When patient information is being shared with a business associate, it is vital healthcare providers have a business associate agreement in place, says Mr. McMillan. Business associates need to know it is their responsibility to protect patient information that is shared with them, and the requirements for a business associate agreement provided by HHS should be followed when drafting the agreement.
Additionally, covered entities should inform their business associates of self-monitoring requirements, with results transmitted to the covered entity, to allow the healthcare provider to make certain proper security measures are in place, adds Mr. McMillan.
2. Do a risk assessment. The only way a covered entity can understand its vulnerabilities is to do a risk assessment. Healthcare providers should not only do a risk assessment, but also implement what they learn from the assessment in the security controls they select, says Mr. McMillan. "Select an industry-recognized framework for security like ISO, ITIL or NIST and apply it," adds Mr. McMillan.
3. Do due diligence when it comes to managing vendors. To protect patient information, it is necessary for covered entities to perform due diligence and be aware of its vendors' security programs, says Mr. McMillan. From workforce member screening to laptops being physically protected to transmission security, healthcare providers need to ensure vendors have the safeguards in place that protect patient information adequately and promote HIPAA compliance, adds Mr. McMillan.
Even with security measures in place, security incidents and data breaches can still occur, therefore, healthcare providers need to ensure their vendors have an incident response plan as well.
More Articles on HIPAA Compliance:
Top 3 Security Threats to the Healthcare Industry, Tips to Avoid Them
Healthcare Industry Vulnerable to Cyberattacks, FBI Warns
A Federal Law, But HIPAA Can Play Significant Role in State Court Suits