This year, about 150 covered entities and 50 business associates (BAs)1 have been or are currently engaged in phase two of the U.S. Department of Health and Human Services (HHS) audit program.2 These initial audits are largely desk audits. An onsite audit may occur and go much deeper in examining compliance to the Privacy, Security, or Breach Notification Rules. The goal of the audits and for all healthcare organizations: obtain best practices to share with the industry and get out in front of risks and vulnerabilities before they result in breaches.
The threat of security breaches is no small problem in healthcare. Last year, breaches accounted for the theft of millions of personal information records. In fact, the healthcare industry is the largest target for thieves because of the sheer volume and variety of personal information its systems contain. Social Security numbers can be purchased on the Dark Web for around $15, while medical records fetch at least $60 per record because of additional information, such as addresses, phone numbers, and employment history. Criminals can use this data in a variety of ways, including filing fake tax returns.3
Building the offense
The best defense is a good offense, and the OCR audits are meant to be an important part of that offense. However, many organizations can’t avoid feeling angst, or even dread, about fighting a battle on two fronts: fending off hackers while meeting a growing list of audit requirements.
It is a time of transition for our industry. As HIPAA breaches occur with increasing frequency, it’s imperative that we take the appropriate steps to establish greater levels of accountability.
Accountability starts with having a proactive plan to help ensure that your organization has done the necessary work to guard patients’ protected health information (PHI). This is one of the reasons the new OCR audits will focus on business associates as well as covered entities: to help ensure that business associates are adhering to all of the regulations required to protect the covered entity’s data that is entrusted to them.
Business associates have grown as a significant security threat because they have access to millions of patient records. If a BA does not have the necessary safeguards in place to protect that data, it places its business – and that of the covered entity for which it provides services – at considerable risk. A recent research report found that 87 percent of business associates state their organizations experienced electronic information-based security incidents over the past two years.4
It’s all in the prep
To comply with the audit, an organization must know, possess, and verify a significant amount of information in a very short period of time. Everything must be electronically documented. Random paper files stored in numerous departments across an organization would be virtually impossible to aggregate in time to comply with the audit deadline. From the date a covered entity receives audit notification, the organization has only 10 days to provide the requested data. Depending on the scope of the audit, the following may be required for submission:
- List of business associates with updated contact information and product/service category;
- A copy of your most recent security risk assessment;
- Copies of your HIPAA policies and procedures; and
- Your incident response plan.
One of the biggest problems identified in managing risk generated by business associates, as required by the HHS, is the processes to track business associate compliance with procedures are too often reactive, manual, and not well systematized. By operationalizing BA policies into procedures, organizations can efficiently track BA-related tasks as part of the overall vendor relationship management process. This is a complex and critical part of a healthcare organization’s digital security – you cannot monitor or manage what you don’t know or can’t access.
The mistake many organizations make is not having the required information current and ready at all times. They rely on outdated manual processes that prevent them from gathering and documenting the necessary information with the 10-day timeframe. And if an organization has more than 100 BAs, the information required for the audit simply cannot be managed manually. A business associate management system – including document centralization – is required to acquire, organize, and maintain the information.
Steps organizations can take to prepare for and respond to the audit notification include:
- Covered entities need to improve compliance processes, including the use of automation. There are too many BAs to manage the information manually.
- Centralize and organize business associate agreements (BAAs) and compliance-related information. Have a leader, ideally in the privacy office, with strong relationships across the organization including financial, legal, and the C-suite.
- Identify with whom protected information is being shared.
- Streamline the BA management process for the ability to quickly and efficiently reach out to all BAs to obtain BAAs, confirmation from vendors, etc.
No system is perfectly secure, but creating effective processes, combined with technology solutions to manage vendor information, can help to mitigate risk associated with the growing volume of critical personal information, well in advance of an audit notice.
References:
- Definition of Covered Entity and Business Associate, National Institute of Health,
https://privacyruleandresearch.nih.gov/pr_06.asp - HIPAA Privacy, Security, and Breach Notification Audit Program, U.S. Department of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/
- Dark web is fertile ground for stolen medical records, CNBC, March 11, 2016, http://www.cnbc.com/2016/03/10/dark-web-is-fertile-ground-for-stolen-medical-records.html
- Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Ponemon Institute, May 2015, https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data