- Earlier this month, the American Health Information Management Association (AHIMA) published its newest toolkit to assist organizations in preparing for HIPAA audits.
The “External HIPAA Audit Readiness Toolkit” addresses key aspects of the Office for Civil Rights’ (OCR) Phase 2 audits and features best practices and tips for covered entities.
AHIMA IG Advisors Senior Director Kathy Downing, MA, RHIA told HealthITSecurity.com that information governance requires a comprehensive approach to ensure strong data privacy and security. Entities can better prepare for HIPAA audits by creating a strong information governance program.
“AHIMA’s IT service line is made up of all of the aspects of privacy and security, making sure it has information protection in healthcare all the way up through an enterprise level on records,” Downing said. “It also works on advancing the records management processes into more of an information governance type view, which certainly encompasses your privacy and security.
It also includes things like records destruction and legal and regulatory compliance, she added. It is a bigger framework than just privacy and security.
How the AHIMA toolkit can benefit covered entities
Downing explained that AHIMA has listened to OCR findings out of its 2016 desk audits. One of the fairly consistent findings was that healthcare organizations might have checked some of the boxes around privacy and security, but they are by no means really meeting the full intent and all of the aspects of HIPAA.
“Our recommendation is that you do self-audits,” she advised. “It may be something you do every six months, once a year, but our audit tool was really meant to say, ‘This is an industry best practice.’ If you’re not self-auditing, you should be, and the toolkit was really meant to be checklist oriented and a way to operationalize the audit process. That way, each privacy officer across the country isn’t trying to do it on their own in working with their organization.”
Another important takeaway is that for many large, company-wide audits – such as with a HIPAA audit – it can take time for the administration to get on board, Downing noted. Audit findings in an organization should be reported all the way up to the board, as it is a compliance issue and definitely a high risk issue.
OCR’s previously announced HIPAA settlements, which include $3 million and $5.5 million fines, show that it is definitely an area in which organizations must focus.
“When we started thinking about building the audit toolkit, it was really trying to operationalize the audit so that each and every organization doesn’t have to try and figure everything out on their own,” she said. “That’s really what it was trying to give out to the community at whole.”
Downing added that AHIMA is trying to make sure people are doing the audits to minimize the data breach risk as well. Not only are there OCR fines, but there can be a lot of HIPAA data breaches in the news at hospitals and physician practices.
“If you talk to people around you, almost everybody has had some sort of healthcare breach and they’re under a year of credit monitoring for a healthcare breach,” Downing said. “We’re not doing everything right when it comes to securing information.”
Healthcare is especially complicated because providers need to be able to share information with the patients, providers, and caregivers and at the same time, Downing noted. Healthcare organizations need to be able to secure and protect that data. It’s a very difficult way to try and do business and keep everything secure at the same time.
Going beyond HIPAA training for strong information governance
Along with self-auditing, Downing recommended that organizations focus on employee training, education, and awareness. However, it should go beyond just HIPAA training, education, and awareness she added. At this point, providers should be fairly knowledgeable on those overarching concepts.
“If they’ve been working in healthcare and they’ve gotten your annual training, now it’s time to talk to them about what’s a phishing email? What would a cyber attack look like? What does a ransomware attack look like? It’s about bringing employees up on your current, really high risk areas,” advised Downing.
It could also be beneficial to teach employees that if they go to a website, and all of a sudden they can’t get to it and were able to do so the day before, do they know that there might be a DOS attack? Organizations need to keep their training and education programs current with the latest threats.
“This idea of security awareness definitely needs to be expanded beyond logging off your computer,” she said. “We know we need to log off, and change our password regularly. We need to get to that next level.”
In terms of auditing though, Downing said that organizations really need to understand whether they’re doing manual audits of systems or if they’re utilizing a third-party system, such as Fair Warning.
“You really need to be looking at doing some analytics on how many privacy investigations you are undergoing, how many reportable breaches you have had in your organization, and how fast your breach incident response team can get through an investigation,” she explained. “Are you fumbling around, or have you practiced it? Do you run major drills twice a year? Do you know if you’re under a ransomware attack or can you not access the internet because you’re under a DLS attack?”
Healthcare organizations need to know how quickly they can react to get things back under control. Many incident response teams need to review who’s on the team, why HR is there, and why the HIM director and the IT director are involved. Organizations must review why all of those people are involved, and what needs to be done in terms of testing and playing through various potential scenarios.
“Hospitals are really focused on protecting the EHR, but there are all these other potential scenarios that could play out,” Downing cautioned. “This is what information governance really pushes. We need to have an organization-wide view of how they secure information. The idea of securing the EHR and putting it in a bubble is not realistic because the portal is going to get into it.”
For example, Downing pointed out how the Banner Health data breach stemmed from credit card machines in the hospital cafeteria being infiltrated. Organizations must take a broader look with their data security approach.
“This audit tool is a good example of a way to really push beyond the status quo as it relates to privacy and security,” Downing said. “The number of privacy officers is dwindling because as we get better and better at privacy, organizations that are multi-hospital organizations that used to have one privacy officer at each hospital, now have one for five hospitals, or one for 11 hospitals.
“I talk to privacy officers and I say, ‘You don’t get to just sit back and do the HIPAA stuff.’ Why aren’t privacy officers looking at HR data and what their policies are? Why are privacy officers and to some extent, security officers, in the EHR, the ePHI or the PHI silos? We’ve got to start getting beyond that.”
Utilizing technology without compromising health data security
Another key part of information governance that healthcare organizations need to focus on is the implementation of new technologies, Downing explained.
“We say an information governance program needs to have a mobile device security policy, program, and audit, and possibly invest in some mobile device management software, which certainly isn’t new to the market,” she said.
Connected medical devices are also a potential risk area, Downing noted, and could be very vulnerable to a possible cyber attack.
“A lot of the medical devices have a low level of security maturity,” she said, noting the Hollywood version in a Homeland episode where a pacemaker was hacked. “It really is still not mature, and a lot of that insecure medical device responsibility is really on the vendor. Hospitals have to use what they have to use and those vendors, they just haven’t been pushed down the encryption path like they should have been.”
The Federal Trade Commission (FTC) and Food and Drug Administration (FDA) are both working on guidelines for stronger medical device cybersecurity, Downing pointed out. In fact, the FDA finalized its medical device cybersecurity guidance at the end of 2016.
Social media is also an increasingly top privacy and security problem area, according to Downing. Organizations need a social media program and policy about what can be post. It’s gone further than just employees choosing to post pictures of patients on Facebook, she explained.
“Let’s say an organization is undergoing some sort of merger or acquisition, that maybe an employee knows about because they’re working on it, but they don’t realize that should be kept confidential,” Downing stated. “Then it ends up on social media and all of a sudden people who didn’t know about it yet know about it, and it really wasn’t handled in the most legal of ways.”
There needs to be a more robust employee education about who can post things about the organization, she explained. It is another area where privacy officers need to really expand.
It is also increasingly important for organizations to have strong information governance programs as data is being stored for longer periods.
“The longer you keep it, the longer you have to secure it,” Downing said. “Additionally, the longer you have to decide who has access to it from a privacy perspective. Information governance ties into that whole record retention and how we’re retaining email. Do we really need to keep it forever? Can it go into secondary storage?”
Along with data storage, healthcare organizations need to have a disaster recovery plan, or business continuity plan in place.
“That’s another thing that comes to mind with privacy and security and that is, again, a key OCR audit finding,” she cautioned. “Organizations maybe have a disaster recovery plan in place, and we’ll go in to do an information governance assessment for them to see where they are with information governance. We’ll be interviewing the CIO and the HIN director and we’ll say, ‘We’re curious. What’s your business continuity plan?’ They’ll say, ‘Well, we know corporate has one.’”
Knowing that the corporate office has one, but not actually knowing what the plan is will not benefit an entity should a natural disaster occur, she said. The plan needs to be tested and employees at all levels need to be trained in how they must respond in that type of situation.
Overall, Downing maintained that strong information governance requires healthcare organizations to take the time to focus on employee training, and ensure that data security measures expand beyond HIPAA regulations.