As most hospital executives and CIOs know, the Office of Civil Rights (OCR) is pushing compliance audits to heighten personal healthcare information (PHI) security measures and avoid data breaches. The Omnibus HIPAA or potential passing of the Executive Orders does not change their approach; but rather, implies the need for healthcare organizations to step up their facility’s information security plan.
Better data handling and information security has never been as important for healthcare CEOs and CIOs as it is now. Some steps that can assist compliance efforts and passing OCR audits to avoid fines will surely come in handy.
6 steps healthcare executives can take to comply with HIPAA and prepare for OCR audits:
-
Setting up the security, privacy and confidentiality of PHI to meet HIPAA/HITECH provisions.
-
Training staff to know what they must do and mustn’t do in order to keep the security, privacy and confidentiality of PHI in place. Note: The omnibus HIPAA new breach definition makes this aspect all the more important, unless healthcare facilities wish to continuously start reporting breaches.
-
Regular risk assessments to acknowledge how data is stored or how it moves from device to device and finding system vulnerabilities that can risk loss and exposure of sensitive information, as well as malfunction or unwanted penetration by hackers with motive.
-
Ensuring that all business associates and external entities who assist with the maintenance of healthcare data also implement staff training and a strong information security plan in order to comply, pass audits and avoid penalties. A business agreement is only the first step, having a trusted professional who can vet partner facilities is what can guarantee less room for error.
-
Having a third party audit your facility is also a good way to vet your own information security structure. They can assist in reviewing policies and procedures in place, as well as ensure your network security.
-
Enforce the recently introduced Omnibus HIPAA requirements, which have added to the responsibilities of healthcare providers and their executives in the areas of PHI privacy, breach reporting and business associate agreement terms.
In addition to these six steps, healthcare providers also consider getting outside help to establish HIPAA compliance and pass OCR audits. It is highly favorable to those facilities that are limited in IT staff and aren’t able to provide the necessary training that generates an infallible HIPAA compliance set up.
If healthcare organizations fail an OCR audit due to noncompliance it leads to penalties that range between $100 to more than $50,000 per violation. No business wants to lose money, nor should they; especially when there are professionals and actions that can be taken to prevent such financial loss.
The sooner healthcare executives and their CIOs take action to meet HIPAA standards and prepare for OCR audits; the less likely it is their facility risks financial burden due to fines, not to mention the economic loss from an information security breach.