Closing the gaps in HIPAA compliance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/blog/closing-gaps-hipaa-compliance

It's been more than ten years since Congress passed the Health Insurance
Portability and Accountability Act (HIPAA). Healthcare organizations have
worked ever since to consistently maintain the privacy and security of
patient health information. HIPAA requirements are vast and deep, requiring
considerable effort for organizations to keep up with. Many--especially
physician practices and smaller hospitals--do not have the bandwidth to
keep on top of all the different HIPAA nuances.

Compounding this lack of resources is a widespread belief that HIPAA
violations or security breaches only occur in other organizations. As such,
practice leaders may think there is low risk in noncompliance and not
prioritize the work. In addition, staff may not realize whose
responsibility compliance is, leaving an important task open-ended and
potentially incomplete.

All that said, organizations that make a commitment to HIPAA compliance can
protect themselves and their patients. HIPAA compliance, or lack thereof,
has both financial and cultural implications, so identifying common HIPAA
compliance gaps is a great way to start down the path to compliance. This
article will discuss two major gaps that many organization encounter: the
prevailing "it won't happen to us" attitude and a lack of concentrated
resources to maintain compliance.

The ever-mounting risk

There has never been a more important time to enhance a HIPAA compliance
program. With the increasing prevalence of laptops and portable devices
that house electronic health records and other patient information, the
risk that a technology device will be stolen and its data compromised is
growing. Hackers are also becoming more sophisticated--the news is full of
organizations that have experienced attacks on their secure information.

Evolving technology is not the only risk factor. In fact, many compliance
breaches stem from human error. For instance, staff might inadvertently
leave a patient record open on a computer screen or a paper file in a
public place. Perhaps a physician forgets his or her laptop in the car or
shares his or her private security code with non-authorized personnel in an
effort to make life easier. While seemingly minor, all of these examples
showcase how HIPAA breaches can occur. Luckily, being proactive in
identifying risk can help organizations better prepare.

Position for HIPAA Success

While getting a handle on HIPAA compliance may seem overwhelming, it is
achievable for organizations that take a well-considered approach. A key
first step is laying the cultural groundwork, which includes addressing
attitudes toward HIPAA and making sure proper resources are allocated and
effectively concentrated. Here are a few strategies for getting started.

Address the attitude toward compliance. For HIPAA compliance to gain
attention, organization leaders must acknowledge and emphasize the
importance of preserving data privacy and security. Moreover, they need to
communicate that keeping information safe is every staff person's
responsibility. This requires more than just lip service, but rather a
concerted effort to uncover and resolve possible issues, effectively
dispelling the "a breach won't happen to us" attitude.

One effective way to bring HIPAA compliance to the forefront is to conduct
an informal analysis of the current state of compliance in the
organization. Leaders should walk through the organization, using a
critical eye to spot red flags. For example, does staff quickly respond to
patient medical record requests and follow a consistent and well-defined
process? How does the organization secure portable technology? What are the
facility's rules about security passwords? Does staff know not to discuss a
patient's care in common areas? An organization should consider documenting
this assessment and sharing it with staff, so that everyone gains an
appreciation of how compliance works and how organization can improve.
Within this document, leaders may also want to outline the potential
consequences of a breach, citing similar organizations that experienced a
problem and the financial and cultural ramifications.

Another way to underscore the importance of an organization's commitment to
HIPAA compliance is to be open about improvement. Leaders should encourage
staff to report any gaps they notice, particularly workarounds that could
place the organization at risk. For example, if a staff member sees that
his peers are constantly rushing and leaving electronic medical records
open, there should be a method for safely sharing that information with
leadership. The response should be encouraging, not punitive, emphasizing
the need for improvement not disciplinary action. Also, when making
changes, leaders should gain staff feedback to make sure that new processes
and technology fit within workflow and do not place an undue burden on
staff.

Critically assess, and allocate, resources. To keep on top of HIPAA,
organizations should have at least one staff person dedicated to compliance
as part of his or her job. This individual should perform regular audits,
review and update policies, provide training, conduct risk assessments and
so on. Organizations must closely look at whether they can earmark the
necessary resources. If they can't, they may have to consider seeking
outside assistance in the form of technology, consultants or outsourcing.
Leaving compliance to chance or placing it as an ad hoc responsibility will
not be sufficient to protect patient data.

Making the Commitment

Ultimately, an organization will be successful in complying with HIPAA if
it is honest with itself about the risks it faces, the resources it can
allocate and what gaps exist. Facilities that take a hard look at these
gaps and work to mitigate them will go a long way in keeping information
safe, protecting patients and themselves.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!