In March 2013, the enactment of amendments to the Health Insurance Portability and Accountability Act (HIPAA) made it important for healthcare organizations and other covered bodies to complete a HIPAA audit checklist. The aim of a HIPAA audit checklist would be to find any possible risks to the integrity of electronically-stored protected health information (ePHI).
The amendments were introduced as a reaction to the increasing number of ePHI breaches being made known to the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR). The rising number of breaches was attributed to the growing use of personal mobile devices in the workplace to transmit ePHI.
In tandem with this, an audit protocol was published by OCR. Although it was neither a “required” nor an “addressable” stipulation that a HIPAA audit checklist was completed, it makes more sense than ever before to be prepared for HIPAA audits with a new phase of OCR compliance appraisals about to start.
In February 2014, OCR revealed a plan to survey 1,200 HIPAA-covered bodies – 800 healthcare groups and 400 business associates – as the initial step in choosing covered entities for the next phase of HIPAA audits. OCR plans to collate recent data about patient appointments, how ePHI is sent electronically, revenues and business locations in order to assess the “size, complexity and fitness of a respondent for an audit”.
Being chosen to take part in the survey does not necessarily imply that a covered entity will have to get prepared for a HIPAA audit. However, it is important for all covered entities to be aware of the audit protocol. In the previous round of compliance assessments, OCR found most of the appraised covered bodies did not meet the necessary requirements in the areas of security, privacy, and breach notification. This was supposedly due to covered entities being “unaware of the requirements” – something that a HIPAA audit checklist would eliminate.
The chance of being selected for the OCR survey and having to get ready for a HIPAA audit is small. There are more than 700,000 healthcare groups that could be chosen for a compliance appraisal and around 2-3 million Business Associates that now fall under the remit of the HIPAA regulations. Regardless, it is in every covered entity’s best interests that the integrity of ePHI is secure, and the best way to achieve that goal that is with a secure messaging solution.
Secure messaging solutions were formulated as a response to the higher use of mobile devices in the workplace and BYOD policies. They are operated by creating a private communications network through which authorized staff members and Business Associates can gain access to encrypted ePHI and communicate with other authorized users by using secure messaging apps.
The apps can be downloaded to desktop computers and personal mobile devices and work on any operating systems. Communication and access to ePHI is reviewed by a cloud-based platform, which has security measures in place to prevent the transmission of ePHI outside of the healthcare organizations network. Administrative controls are in place to prevent the unauthorized access to ePHI when a computer or mobile device is left unattended, and the “message lifespans” can be set on all communications.
The platform also reviews activity on the network to ensure secure messaging policies are being complied with, and produces audit reports that help administrators with risk assessments. Other ways in which secure messaging solutions can assist covered bodies check the boxes on a HIPAA audit checklist include:
With a secure messaging solution supplying the mechanisms in order that covered entities can adhere with the physical and technical security measures of the HIPAA Security Rule, healthcare groups and Business Associates must put in place policies to provide employees with the best practices to adopt in order to achieve compliance with the HIPAA Security Rule administrative safeguards.
In order to prepare for a HIPAA audit, healthcare groups and Business Associates must also formulate their own risk management analysis, document data management, security and training strategies. They should be aware of what constitutes a violation of ePHI and how to submit a breach report to the OCR – even though one is unlikely to happen with a secure messaging solution established.
A breach of ePHI is an impermissible use or disclosure of ePHI, and is thought to be a breach unless the healthcare organization or business associate can show there is a low chance that the ePHI has been compromised (for example, when ePHI has been encrypted to a high standard). Full details of what makes uo a breach of ePHI and how to report it is downloadable on the U.S. Department of Health and Human Services´ web site.
Preparing for a HIPAA audit will help healthcare groups and Business Associates find any risks to the integrity of ePHI and reduce the chance of fines and possible civil legal action should a breach of ePHI happen. If a secure messaging solution is chosen to prevent the risks, there are some major benefits.
Features such as delivery alerts and read receipts decrease the amount of time medical professionals spend playing phone tag. This allows them to streamline workflows and allocate their resources more productively in a wide variety of scenarios. A health sector professional with access to a HIPAA-compliant secure messaging app can use it to:
Medical workers located outside of a hospital environment – or those who supply telemedicine services – can securely share ePHI “on the go” from any mobile device with secure messaging to save valuable time, increase productivity and improve the standard of patient healthcare provided.
The next phase of OCR compliance appraisals will supply the OCR with the chance to examine the different mechanisms being implemented to adhere with HIPAA. The plan is also to find best practices and see if any new risks and vulnerabilities have been found.
A HIPAA audit checklist is the ideal tool to find any risks or flaws in your healthcare organization or associated business. It is in your best interests to complete a HIPAA audit checklist and carry out an audit on your own measures for protecting the integrity of ePHI.