The introduction of HITECH in 2009 gave the Office of Civil Rights (OCR) more muscle to enforce HIPAA and levy stiff penalties—up to $1.5 million per incident for some violations—for organizations failing to protect patient health information (PHI). In 2014 alone, OCR settled with seven entities for $8,065,220, an average of more than $1.15 million each. In 2012, OCR began a pilot audit program that is now in full swing.
Even if you’ve followed our tips for ensuring you are in HIPAA compliance, a notification that you’re being audited might involuntarily send a shiver up your spine. While you can find the full audit protocol here, a good place to start preparing for your audit is to assess your practice against the following areas, which were cited by OCR as the most common errors identified among data breach reports filed in 2011-12:
1. Risk analysis and management
Do you have a plan that identifies all potential risks for compromising electronic or printed PHI? When was the last time you reviewed it to ensure your policies and procedures address all the technology used by staff, from photocopiers to smart phones? Do you know how often PHI is transmitted outside of the practice on a typical day, and where it goes?
2. Security evaluation
Not taking proper precautions to safeguard PHI when moving to a new office, installing or upgrading equipment or software can put protected data at risk. A security evaluation can help identify problems before they occur.
3. Security and control of portable devices
Lost or stolen laptops, storage devices like memory sticks, and tablets containing unencrypted data are the single most frequent cause of data breaches.
4. Proper disposal of data
What happens with the patient data that no longer needs to be stored on a device? Your process for cleaning, purging and testing hard drives before they are recycled or transferred to a third party should be well documented.
5. Access control
Take a walk through your office to see how many workstations stay on all day, even when unattended. If you can see the screen, PHI on that computer may be visible to others.
6. Training
Training new employees right away on your policies and procedures for appropriate and improper uses of PHI, and the consequences of violating them for the organization and the individual.
The best news – you’re not alone. We can help you mitigate the risk of releasing PHI and ePHI by securing your technology workflow. To obtain a full assessment of your IT and print infrastructure email us at info@symquest.com or call 1-800-374-9900.