- While healthcare organizations should not panic over the idea of a potential HIPAA audit or risk assessment, they should ensure that their privacy and security measures are comprehensive and current. This will not only keep sensitive data, such as PHI, secure, but it will also help the entire audit process run smoothly.
Night Nurse, a 24-hour, 365 day per-year triage support and medical-home compliance provider went through an in-depth risk assessment audit. Night Nurse COO Stuart Pologe explained to HealthITSecurity.com in an email that the goal of the audit was to verify the integrity of patient-identifiable information (PII) and PHI in the organization’s systems.
“The audit was initiated in order to achieve a higher degree of compliance, affording us the opportunity to provide secure triage services large hospital system,” Pologe said. “Organizations are subjected to the greatest amount of scrutiny. The goal was to increase our service and security levels to meet or exceed the meticulous standards of the nation’s largest and most respected hospital systems.”
The HIPAA risk assessment audit consists of three phases, taking place across approximately one year, Pologe noted. Phase one was comprised of meeting more than 400 interrogatories from the auditors.
“The questions required everything from base descriptions of our services and procedures to in-depth descriptions of each technical component of our system infrastructure,” he stated. “The report also required a vulnerability assessment for each technology component, and how these risks were mitigated.”
Pologe added that may be surprised to learn how each component – even printers - can be a HIPAA liability or a key security stronghold, depending on how they’re configured and managed.
“Phase one was a long process,” recalled Pologe. “In addition to compiling the extensive amount of documentation required, Night Nurse needed to gain auditor approval on each of the responses in order to move into the second phase of the process. This often involved multiple iterations of the documentation and submission process, requiring verification of all specifications, statistics, and policies.”
Phase two consisted of the detailed, on-site inspection phase, Pologe explained. This included everything from the physical security of the building and data center, to patient data security.
“The edifice security standards required appropriate locks at all stages of access, with at least two locked doors to any area housing PII or PHI, with security systems and video cameras required to ensure access control and record-keeping,” he noted. “In addition, all areas where patient information is discussed or viewed must meet appropriate isolation standards. This includes the seclusion of printers, fax machines and paper archive access.”
After physical safeguards were addressed, Pologe said that the auditors began hacking attempts to penetrate the Night Nurse IT systems. Both inbound and outbound information transmissions were monitored with Wireshark technologies, and the audit team examined data flow to try and find any non-encrypted information.
If any readable information, not just PII or PHI, was found it would have been an immediate failure, he stated.
“The next section of the audit was focused on remediation,” Pologe explained. “The auditors provided extensive reporting and required areas of improvement, based on the many examinations conducted. Anything and everything considered a tangible risk was highlighted for mitigation. Additional requirements were provided with compliance time frames of 30 days, six months and one year to achieve the maximum level of compliance.”
Building a compliant IT infrastructure for data security
Pologe maintained that organizations must ensure that they have necessary access controls anywhere information is stored. This is true for paper or electronic data storage.
“We’ve always placed a high priority on IT security, but we needed to add even more levels of premises security,” he said. “Now, each person has to sign a log on why they enter areas containing PII or PHI. When building your premises security strategy, allow as few people as possible into sensitive areas to reduce risk of exposure to information.”
Covered entities should also consider ways to isolate sound or viewing angles. For example, waiting rooms cannot permit visitors to overhear patient discussions, Pologe pointed out. Waiting rooms should also not have any over the shoulder line-of-sight to paperwork or a computer screen.
All types of office devices could lead to unexpected HIPAA violations, he added. With printers, they must be appropriately password protected. That access needs to be restricted through access cards or managed network switches, he stressed. Printers should also have static IPs to avoid known HIPAA vulnerabilities.
Night Nurse receives and transmits approximately 50,000 patient encounters per month, Pologe explained. Protecting paper documents is as vital as protecting its electronic documents. Having fax machines export images, in real time, to a secured server is mission-critical to archiving fax data in a compliant manner, he said.
“Printers and scanners provide a critical connection between digital healthcare systems and physical paper documents, and security is a top concern,” Pologe explained. “We’ve had excellent experiences with Brother devices since 2004, as they deliver the security features and customization levels that enable HIPAA compliance.”
Pologe added that organizations should ensure they have consistent access to electric power. Any power interruptions, even for a few minutes, degrades patient care and introduces risks. Night Nurse’s entire facility is backed up by a dedicated natural gas generator, he noted.
Overall, organizations should make sure they take care of the basics right up front so they don’t have to do a lot of work on the back-end.
“Organize all of your documentation in a single file location, including protocol manuals, security manuals and disaster recovery plans,” advised Pologe. “Make sure these documents are in a secure, yet easy to access location. And institute a ‘clean-desk’ policy.”
Covered entities also need to be prepared to carve out the time for their HIPAA audit. Night Nurse’s took approximately 10 months, Pologe noted. Even with internal and external assistance, organizations will be required to produce and edit a tremendous amount of documentation.
“For many healthcare organizations, a HIPAA audit is a dreaded task,” Pologe concluded. “While it consumes an extensive amount of time, it also produces multiple benefits. Today, Night Nurse’s expanded level of compliance ensures that we’re able to support any size institution, including the largest hospital systems with the most stringent requirements.”