In our last blog post, we discussed the prominence of data breaches in the healthcare industry. With so much of the attention being paid to breaches after-the-fact, what can a Covered Entity or Business Associate do to help prevent a data breach in the first place?
For many organizations that have had a breach occur in the past year, realization of their inadequacy of security controls around how they manage healthcare information, internally and externally, has come too late. Many times not happening until after OCR delivers their OCR Resolution Agreement, in which their investigations reveals findings around the occurrences and the settled resolution between OCR and the breached party. By the time this agreement is delivered/received and agreed to by all the affected parties, the damage has already been done. Monetary fines have been imposed and the breached party’s reputation has been tarnished.
The breached party has to implement the specifications relayed by the OCR in the agreement. These specifications have strict timelines, forcing the organization to enter into re-act mode immediately. The organization is now charged with running a business while containing and mitigating the effects of the breach, and at the same time remediating all deficiencies found by the OCR. With resources many times already being limited for these work efforts, the pressure on the breached organization becomes real.
What can every Covered Entity and Business Associate do to proactively avoid the scenario illustrated above?
Below are a few starting points that will lead any Covered Entity and Business Associate in the right direction:
- Policies and Procedures: A comprehensive set of policies and procedures must be created, reviewed, and updated at least annually (more often if significant changes have been made to the environment of the organization). The official policies and procedures must be reviewed by all workforce members that have ownership over any of the areas published in the policies and procedures. After these have been reviewed and all changes have been updated, the Security Official and/or Privacy Official must sign-off on the reviewed set of policies and procedures. All policies and procedures must be kept for a minimum of 6 years for documentation purposes.
- Training: All Covered Entities and Business Associates must have a formal training program in place that covers Security Awareness. Workforce members must receive, and acknowledge they received the training, upon hire and annually thereafter. Records of training conducted should be maintained.
- BAA: All Covered Entities and Business Associates must ensure that all parties they enter into a BAA with have an adequate security framework in place to safeguard all healthcare information.
- Risk Assessment: Covered Entities and Business Associates must conduct a comprehensive risk assessment that incorporates all IT equipment, applications, data systems utilizing ePHI, and all processes that incorporate all PHI. All deficiencies found must be addressed and remediated.
Being truly compliant involves a deeper look into all processes within an organization; however, the suggestions listed above are a good starting point for any organization that wants to know where they stand as far as their security framework is concerned.
This is the final post in this blog series leading to the HIMSS16 Convention next week. I truly enjoyed sharing my thoughts with the security and privacy community and I hope you found the information valuable. If you will be at the HIMSS event next week, please stop by booth 145 to say hello!
If you have any questions regarding the healthcare information requirements or other information security needs, please contact us at firstname.lastname@example.org.
Maria Sanchez is a Privacy and Security Professional at CompliancePoint working with Covered Entities and Business Associates in a variety of industries. She is committed to guiding customers through effective assessments covering the Security, Privacy, and Breach Rules from HIPAA/HITECH. Maria has a B.A. in Political Science and Sociology from Georgia State University and a J.D. from Florida Coastal School of Law. As an attorney, Maria concentrated her studies in international and comparative law. As a Privacy and Security Professional, Maria has earned her Healthcare Information Security and Privacy Practitioner (HCISPP) certification and Certified Information Privacy Professional for the US and Europe (CIPP/US and CIPP/EU) certifications.