This blog post is taken from a recent Webinar featuring Marti Arvin, Vice President of Audit Strategy at CynergisTek.
A cornerstone of auditing HIPAA compliance is the existence of a clear and established process. If you haven’t done so recently, consider revisiting your process for auditing employee access to PHI. OCR requires you to demonstrate you have a strong process that assures prompt investigation and notification in no more than 60 days after the discovery of inappropriate access. You must document not only your findings, but also your process for conducting the audit. You will be expected to demonstrate a labor-intensive auditing process, unless you have technology tools to assist you.
Making Tough Choices
I often hear, “We don’t have money to buy that technology or software. We don’t have money to hire the people to do this.” That will never be an adequate explanation for OCR. You’re in the healthcare business, and under current regulations, there is an expectation you will do what is necessary to protect the data of the individual. Organizations must make the technology and administrative choices necessary to mitigate their risks. The technology and staffing I used at UCLA may not be the same as yours. What’s important is the result.
For example, you may have established a process that routinely reviews the volume of records reviewed by employees. If Marti normally has access to 50 patient records a day, and suddenly she’s looking at 200 records a day, why is that? Did Marti have an assigned special project she was working on, or was she doing something else? Was she doing something nefarious? Was she selling patients’ identities or allowing someone else to steal identities? You must have a structured process for auditing employee access.
When your audit process identifies anomalies, ensure you investigate them promptly and thoroughly. The review must determine whether the anomaly is harmless and appropriate, providing the reasons why, or whether it’s an inappropriate anomaly that must be reported. Your process should be ongoing and repeated as needed.
You must also perform a periodic risk analysis. How often is often enough? The industry standard is at least once every three years, and I recommend this as a minimum. The OCR phase two audit process includes a security provision requesting that organizations provide them with both the prior and most recent risk assessments. They want to examine the time frame between issues you identified in the prior assessment and in the most recent. They want to see evidence you have mitigated any identified risk or evidence the mitigation is well underway.
You may think, for example, people transferring PHI to a thumb drive is a threat to your organization. One solution might be installing software that encrypts anything transferred to a thumb drive. Alternatively, you may disable USB drives so no one can download data to a thumb drive. Those are two very different but acceptable ways of handling the same issue. In either case, you’ll be expected to repeat the risk analysis to evaluate whether your remediation is working and to address any new risks to the environment.
If you make the tough choices, you can sleep well, knowing you have a solid process for assuring HIPAA compliance.
Watch the full Webinar here.
HealthStream’s learning management system and comprehensive suite of competency management tools empower your healthcare workforce to deliver the best patient care.View All Learning & Performance
When you enact HealthStream's quality compliance solutions, you can do so with the confidence your healthcare organization will meet all standards of care.View All Quality & Compliance
Fulfill compliance requirements with a variety of programs and courseware designed to address critical regulatory requirements as well as educate staff to recognize and mitigate risks.View All Products
HealthStream offers professional training and education on how to best optimize your reimbursement process within your healthcare organization.View All Reimbursement
Improve the preparedness of your staff, increase survival rates, and cut costs with the advanced resuscitation training services from HealthStream.View All Resuscitation
Expand the decision-making skills and effectiveness of your healthcare workforce with HealthStream's clinical development programs and services.View All Clinical Development
Delivers everything you need to request, gather, and validate information about a provider to create a single source of truth for downstream processes.View All Credentialing
Make sure your healthcare staff can schedule out appointments and work schedules with ease using HealthStream's line of software solutions.View All Scheduling & Capacity Management