Avoiding hefty fines and collecting federal incentives are major motivators of the healthcare industry to adopt electronic medical record (EMR) systems, in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Our HIPAA audit means that a certified, independent auditor audited our processes, policies, facilities and hosting solutions against the latest OCR HIPAA Audit Protocol, which was released in June 2012 after the initial federal pilot audit program. The Office for Civil Rights is the governing body and enforcers of HIPAA violation penalties. The OCR HIPAA Audit Protocol covers the HIPAA Security Rule, Privacy Rule and Breach Notification Rule.
An example of a high level HIPAA Security Rule citation compliance checklist can be seen to the right – we are found to be fully compliant by each safeguard’s standards and citations.
For each Administrative, Physical and Technical safeguard, there are a number of standards that a covered entity (CE), or business associate (BA) must pass to complete an audit. A BA provides a service for a CE, and may need to access PHI. Although Online Tech never accesses PHI under any circumstances, it is common in the IT and hosting provider industry to sign a Business Associates Agreement (BAA) that codifies their commitment to follow HIPAA rules.
What are some best practices that you, the CE, should do to help with passing your audit?
- Document data management, security, training and notification plans.
- Use a password policy for access.
- Encrypt PHI, whether it is in a database or in files on a server. Although not required by HIPAA, it is strongly suggested and considered best practice to do so while stored in the database, and especially during transmission. More encryption considerations:
- Always use SSL for web-based access of any sensitive data.
- Encryption techniques and mechanisms of sensitive information should be known to only a select few.
- Content such as images or scans should be encrypted and contain no personally identifying information.
- Don’t use public FTP – use an alternative method to move files.
- Only use VPN access for remote access.
- Use login retry protection in your application.
- Document a disaster recovery plan.
- Save money and time by hosting with a company that already has a BAA in place – that way your auditor can review the document instead of conducting another audit on top of yours.
One important distinction between a business associate’s audit and a covered entity is that as a healthcare organization dealing with PHI, you still need to undergo an audit to check your company’s processes and procedures. Your IT company may provide the technology to transmit and store your patients’ PHI, but you are still held accountable by HIPAA standards.
With federally funded audits planned through the end of 2012 and for business associates alike, it’s advisable to begin the EHR and audit process now, if you haven’t already started.