Since its release in 1996, HIPAA has had an extensive impact on the healthcare industry, playing a critical role in ensuring the privacy, confidentiality, and security of an individual’s protected health information (PHI). Healthcare providers need to implement and maintain appropriate practices, processes, and procedures within their organizations, to ensure patient privacy, confidentiality, and data security in accordance with HIPAA requirements. HIPAA compliance is a significant concern for healthcare organizations and the complexity of a HIPAA audit can create anxiety for all business units from the C-suite to the data center. Night Nurse, a 24-hour, 365 day per-year triage support and medical-home compliance provider, endured an extensive audit and found that surviving it paid unexpected dividends.
Case study: HIPAA audit helps night nurse increase compliance
Night Nurse delivers a continuum of care support for doctors in private and group practices, community health centers, hospitals, and educational institutions in 35 states. Their team of healthcare providers assists patients and their families, helping to reduce physician workloads and deliver a better work/life balance for care providers.
Founded in 1999, Night Nurse has experienced double-digit growth for the past eight years. With this rapid growth came increased paper and digital document volume, expanded and complex document workflows, and the need for heightened HIPAA compliance.
Night Nurse initiated a HIPAA audit and an in-depth risk assessment audit to verify the integrity of patient-identifiable information (PII) and PHI across its paper-based and digital document systems. The goal was to increase service and security levels to meet or exceed the meticulous standards used by the nation’s largest and most respected hospital systems—organizations often subjected to the greatest amount of scrutiny.
The HIPAA and risk assessment audits occurred in three stages across nearly a year.
Audit Stage 1
The first stage required Night Nurse to provide answers and documentation to more than 400 questions. This included assessing vulnerability for each technology component of its operations and providing details on how possible risks were to be mitigated. Each component—such as a printer, scanner, or fax machine—can be a HIPAA liability or a key security stronghold, depending on how the devices are configured and managed.
Night Nurse COO Stuart Pologe noted, “We receive and transmit nearly 50,000 printed patient encounters per month, so the protection of paper documents is vital. We’ve had excellent experiences with Brother devices since 2004 and rely on them to deliver the security features and customization levels that help us maintain strict HIPAA compliance. Based on our experiences with Brother fax machines, we chose to use the Brother MFC-L6800DW all-in-one devices to handle all secure printing tasks.”
Auditor approval was required to move into the second stage of the audit. This involved multiple iterations of the documentation, requiring verification of all specifications, statistics, and internal policies.
Audit Stage 2
Once all documentation was approved, Night Nurse advanced to a detailed onsite inspection of all aspects of their facilities. This covered everything from the physical security of the building and data center to critical security for patient data. Facility security standards required appropriate locks at all points of access, with at least two locked doors to any area housing PII or PHI.
Once physical access security compliance elements were verified, the auditors initiated hacking attempts to penetrate Night Nurse’s IT systems. Inbound and outbound document transmissions were monitored with Wireshark technologies. The audit team examined data flow in search of any non encrypted information. This included both digital data and the management of fax data and transmissions. Pologe commented, “The cability to have our fax machines export images, in real time, to a secure and secured server is mission-critical to archiving fax data in a compliant manner.”
Audit Stage 3
The audit then focused on remediation. Auditors provided extensive reporting and required areas of improvement based on the examinations conducted. Anything considered a tangible risk was highlighted for mitigation. Additional requirements were provided with compliance time frames of 30 days, six months and one year to achieve the maximum level of compliance.
Key takeaways for healthcare organizations
Night Nurse’s audit provides multiple learnings for organizations seeking to mitigate security risks, increase compliance, and better prepare for an audit.
To reduce the overwhelming documentation tasks of Stage 1, healthcare providers should organize all documentation in a single file location, including protocol manuals, security manuals, and disaster recovery plans.
Institute and maintain a “clean-desk” policy to ensure that confidential patient information cannot be seen by unauthorized parties and extend this policy to all your print devices. Unattended print jobs present significant compliance liabilities. Restrict usage and limit machine functions on a group or per user basis by activating the security features on your devices. Pologe adds, “Ensure that printers are appropriately and adequately password protected and that access is restricted through NFC access cards or managed network switches. Printers should also have static IPs to avoid HIPAA vulnerabilities.”
Today, Night Nurse’s expanded level of compliance ensures that the organization can support any size institution, including the largest hospital systems even with the most rigorous requirements.