2018 is here and The Department of Health and Human Services Office of Civil Rights has signaled that they high pace of HIPAA audits will continue. The number of audits performed in 2017 surpassed all audits performed in 2014, 2015, and 2016 COMBINED. Most of these audits came down to a series of common HIPAA mistakes that costed practices millions of dollars. We give you a quick list of 3 common problems practices make that can cause big HIPAA problems and put patient data at risk.
Not performing your mandatory risk assessment
This is the cornerstone of your compliance. This is also where most of the HIPAA mistakes made by practices occur. Most practices claim "they have one" but haven't actually taken the time to get one performed. When HHS OCR arrives at a practice, one of the first things they ask for is your most recent risk assessment. They want to see that you have first, performed one, and then second, that you remediated anything that it found. Risk assessments are an absolute requirement under HIPAA and are easy to remedy.
Another possible issue by not having a risk assessment is for attesting for meaningful use. A risk assessment is required for attesting and by claiming that one was performed when in fact, it wasn't could be interpreted as fraud under federal law. with such a no-brainer solution, why take the risk of committing federal fraud?
Not performing on-boarding or termination procedures
One of the core principles of HIPAA is documentation. Document everything that occurs in your practice as it relates to HIPAA. One area that is often overlooked is the process of handling employees. When a new employee starts, a process known as on-boarding, and when an employee leaves or is terminated are both good times to for HIPAA documentation.Document the access that you gave the employee proper access to PHI via Electronic Medical Records (EMRs), billing software, and insurance websites. Show what systems they have access to on your network and that they have been informed of your practice's HIPAA policies. You can create a checklist of these items and include everything that a new employee needs.
When an employee leaves (or is terminated) simply use the same checklist and work backwards. This will allow you to remove access to from PHI that they would have had. Many employee HIPAA breaches occur after an employee has left. They still have access to the practice's insurance websites or EMR data via remote access and make use of them. All of these are easy to stop by just following a checklist.
Not preparing for ransomware attacks
Ransomware attacks increased massively in 2017. In addition, HHS released guidance that a ransomware infection of ePHI is a breach of PHI. This one is fairly simple to protect you practice from. use commercial anti-virus software. Don't use free anti-virus software because most do not include real time scanning. They will only perform scheduled scans. This won't protect from ransomware attacks because these occur in real time. This means that the free anti-virus won't be able to prevent it. Commercial software scans all incoming files in real time and as long as you keep the software updated, has a good chance of preventing a ransomware infection.
Start your 2018 off right by addressing these common HIPAA mistakes made by practices all over. They are easy and cheap to fix and go a long way to ensuring you meet your obligation to protect patient data under HIPAA law.