This blog post is taken from a recent Webinar featuring Marti Arvin, Vice President of Audit Strategy at CynergisTek.
There have been 17 HIPAA enforcement actions since the beginning of 2016, over a period of 15 months. Most of these were the result of self-disclosure where the organization was required to contact the Office for Civil Rights (OCR about a notifiable breach. Two of the 17 were the result of a complaint filed by individuals regarding the protection of their data. Fifteen, or almost 90%, were resolved by settlement with a resolution agreement and corrective action plan. Two were resolved via the formal resolution process. Here are some best practices for ensuring your organization remains compliant.
Monitor and Update BAAs
Some of the key issues involved in these cases are the absence of a business associate agreement (BAA) or failure to update the BAA for changes under the HITECH law. I’ve seen organizations with BAAs that include language to the effect the BAA would automatically include any amendments to the rule. The problem here is that HITECH changes were not technically amendments to the rule. OCR is likely looking for more structured and formal language addressing HITECH changes.
Many organizations tell me they don’t feel comfortable that they’re capturing all their business associate relationships. If your contracting goes through a single source within your organization, this is easier to do. If it’s decentralized, then anyone who can enter into an agreement must fully understand what triggers the need for a BAA or know who can help them.
The key takeaways here: have a process for identifying, evaluating, monitoring and ending business associate agreements.
Monitor and Audit Access to PHI
Organizations must have a strong program for auditing access and monitoring access by both your workforce members and the employees of any third parties with access to your systems. Many do this well for their workforce members, but find it more challenging to do so for third parties. You should require affiliated organizations to provide proof of training and consider conducting a site visit. It’s important to know their privacy and security incident history. What have they had happened? What are some of the issues that they’ve encountered?
Perform Adequate and Routine Risk Analyses
Another key finding is the failure to perform a risk analysis or conducting an inadequate risk analysis. Risks must be assessed on a routine basis. For example, if you performed one in 2005 and another in 2010, and you haven’t performed one since, OCR is unlikely to find this adequate. I suggest letting no more than three years elapse between assessments. The OCR audit process for phase two requires an organization to provide both their prior and most recent risk assessments along with evidence of mitigation of identified risks.
To learn more, watch the full Webinar here.
HealthStream’s learning management system and comprehensive suite of competency management tools empower your healthcare workforce to deliver the best patient care.View All Learning & Performance
When you enact HealthStream's quality compliance solutions, you can do so with the confidence your healthcare organization will meet all standards of care.View All Quality & Compliance
Fulfill compliance requirements with a variety of programs and courseware designed to address critical regulatory requirements as well as educate staff to recognize and mitigate risks.View All Products
HealthStream offers professional training and education on how to best optimize your reimbursement process within your healthcare organization.View All Reimbursement
Learn about our advanced resuscitation training solutions. Our solutions are designed to help improve patient outcomes.View All Resuscitation
Expand the decision-making skills and effectiveness of your healthcare workforce with HealthStream's clinical development programs and services.View All Clinical Development
HealthStream’s learning management system and comprehensive suite of competency management tools empower your healthcare workforce to deliver the best patient care.View All Products
Learn more about HealthStream's Provider Credentialing, privileging, & enrollment solutions.View All Credentialing
Make sure your healthcare staff can schedule out appointments and work schedules with ease using HealthStream's line of software solutions.View All Scheduling