3 ways to get your HIPAA Security Risk Assessment (Soft Audit) done
What are the latest buzz words in the healthcare industry? You guessed it, HIPAA Omnibus rules, HIPAA penalties, and of course HIPAA audits.
Minimum fine increasing from $10,000.00 to $50,000.00 per violation!!!
Is that for REAL?
Unfortunately it is. Talk about baby HIPAA growing its permanent teeth!
Let’s face it. Government giving away up to 44,000.00 per physician! We should have known it was too good to be true. Simply put, there is no free lunch. They probably calculated what it would cost to adopt Electronic Heath Records and implement necessary safe guards then allocated a budget. At least they are paying for it. All we know is that the increase in HIPAA fines and HIPAA inspections is a sign that government is getting very serious. In fairness, there is a real concern here. Patient Health Records contain more personal information than many other databases out there. If compromised, it would mean disaster for the victims. I don’t want to even imagine if such thing happened to me. We live in a country where life is tough without good credit profile.
But first here is a little story:
What prompted me to write about this subject was a recent experience a clinic manager shared with me. A non-profit organization referred them to a 3rd party vendor to have a HIPAA audit done. However, after paying 1500.00 for the service; she was rather surprised and confused to receive nothing but a 70 page questionnaire to answer and send back.
What happened to the Site Inspection by a security professional? One-on-one session to answer any questions and concerns? Unfortunately, it was too late for her as she had already paid the fees and there wasn’t going to be any refund. Well, I figured it doesn’t have to happen to others if more information gets into the hands of Healthcare professionals. So let’s get to it.
First and most important part of meeting the requirements is the HIPAA Risk Assessmen or Readiness Assessment or self initiated audit or anything else people call it, to submit with your meaningful use attestation. When it comes to having a HIPAA risk assessment, you could take different approaches, but here are the top 3 ways to get your HIPAA Risk Assessment (Soft Audit) done:
1- Buy an online kit.
2- Ask your Computer guy or IT guy to check things out.
3- Hire experts.
Please note: this blog is intended to serve as an educational piece and not a solicitation of business. You are free to read it and choose your own course of action.
Let’s take a look at Pros and Cons of each of the following approaches so you are better equipped to make the right decision.
1- Buying an online kit:
- It is like the Do-it-yourself scenario at the Home Depot. You get the instructions and do the work on your own.
- No onsite visit by a professional to determine potential physical security issues involving location of computers, staff’s approach to handling ePHI and access to Routers, Switches, Phone systems, and etc…
- No Sophisticated tools to check for vulnerabilities inside each computer or the server (even if you are using cloud based EHR, your computers must adhere to stringent security standards).
- The new HIPAA Omnibus Rules have raised the fines to 50,000.00 per violation. Unbeknownst to most professionals in Healthcare, computer security is almost as complex as human body and takes years to master it; however, physicians are too busy to even keep up with their own CE courses.
- Some online companies have been charging as high as $1500.00 for a 70 page questionnaire and a binder containing policies and procedures.
- For the few and the brave that decide to go this route, the risks are just like building your own wall. The liability happens to be all yours, and risks are very high.
- This method is more effective than the previous one since it provides with some level of security check on computers and servers.
- Your Computer guy or IT guy charges an hourly fee and would potentially do the basics for 4 to 6 hours worth of work.
- Typical computer or IT guys have general knowledge of Computers & Networks, but are not specialized in dealing with requirements of Health IT.
- They are not familiar with the COMPLEX requirements of HIPAA and Omnibus Rules.
- They don’t have a solid HIPAA package to provide you with Policies and Procedures surrounding your compliance requirements.
- Liability is still there, and risks are high.
3- Outsourcing the process to people with Healthcare IT experience and knowledge of HIPAA audit requirements.
- It would include an onsite visit where trained professionals inspect physical security of all ePHI equipment for potential issues that could result in a violation.
- A network security scan would expose all the so called “Skeletons in the closet” (no pun intended). You would be surprised how many time physicians have been shocked to find out their own computer files (personal documents and information) were visible across the network with others having access to their desktop and documents folders.
- A full report on all areas of concern that would outline the areas needing attention
- A package that provides you with the necessary policies and procedures to keep on hand for compliance.
- One-on-one session to address all your questions and concerns.
- Most specialized firms have their setup very efficient to be able to offer the audit for same price or less that the other two options above.
- Although Liability is still yours, the risks are greatly reduced.
- Finding a professional firm who could do the audit in your area is not easy since it takes time to find and qualify which company offers the right solution.
- Some of the IT firms that provide the service are treating this as a profit center and charge a lot of money. For a one-time audit. Remember, HIPAA audit should encompass what you should do now to BECOME compliant in addition to what you should be doing on a daily basis to STAY compliant.
I am sure your practice serves many patients who suffer from various illnesses on a daily basis. As a healthcare professional, it’s your job to offer any available treatment to your patient to address the issue and to provide your professional advice so that condition is carefully managed. Compliance is a very similar case: as IT security professionals, we must find and secure existing risk factors and provide you with clear guidelines on how to mitigate the risks and help you manage the network so that you STAY compliant.
To help you get a better perspective on the details of what is involved. We have provided a sample of the areas that should be covered in your HIPAA Risk Assessment:
2 Overall Risk
2.1 Conduct Risk Analysis
2.2 Risk Management
3 Environment – Physical Safeguards
3.1 Facility Access Controls
3.2 Facility Security Plan
3.3 Access Control and Validation Procedures
3.4 Maintenance Records
4.1 Information System Activity Review
4.2 Termination Procedures
4.3 Establish Clear Job Description and Responsibilities
4.4 Access Authorization
4.5 Evaluate Existing Security Measures Related to Access Controls
4.6 Password Management
4.7 Administrative Access Control
4.8 Unique User Identification
4.9 Audit Controls
4.10 Person or Entity Authentication
4.11 Minimal Necessary Access (Privacy Rule)
5 Servers and Local Computers
5.1 Protection against Malicious Software
5.2 Applications and Data Criticality Analysis
5.3 Data Backup Plan
5.4 Business Associate Contracts for Cloud Servers and Data Centers
5.5 Encryption and Decryption (data at rest)
5.6 Audit Controls
5.7 Business Associate Contracts for cloud Sync folders (DropBox, Box.com, etc.)
5.8 Encryption and Decryption (data at rest)
6.1 Access Authorization
6.2 Protection against Malicious Software
7.1 Applications and Data Criticality Analysis
7.2 Business Associate Contracts for External Email Providers
7.3 Access Authorization & Access Establishment
8.1 Access Authorization
8.2 Access Establishment
8.3 Workforce Security
8.4 Develop and Implement Transmission Security Policy and Procedures