As Data Privacy Day nears, have you wondered what your healthcare provider is doing to protect your personal medical data?

Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has governed sensitive patient data protection with its Security Rules. In 2000, the U.S. Department of Health and Human Services expanded HIPAA’s reach by publishing the Privacy Rule, which sets national standards to protect individual’s medical records and other protected health information (PHI).

In March 2013, significant changes to HIPAA encouraged healthcare organizations and other covered entities like group health plans, pharmacies and health insurance companies to compile an audit checklist. The objective of a HIPAA audit checklist identifies any possible risks compromising electronically-stored protected health information (ePHI).

These changes were enacted in response to the increasing number of ePHI breaches being reported to the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR) – largely due to the growing use of mobile technology to communicate ePHI.

Fast forward to 2016, when an OCR announcement revealed that a Phase 2 HIPAA Audit Program was launching to review the policies and procedures adopted and employed by covered entities and their business associates – another safeguard to ensure selected standards and implementation specifications of the Privacy, Security and Breach Notification Rules were met.

As technology continues to evolve, organizations of all sizes must ensure that they are maintaining security and understand how best to keep sensitive information secure.

Enter Stinnett’s cybersecurity and data privacy team. Our experts can help groups maintain HIPAA security measures in the following ways:

  • Identify key processes and data that fall within HIPAA compliance.
  • Develop privacy questionnaires and conduct interviews with key personnel.
  • Assess the effectiveness of the design and operation of the safeguards.
  • Identify control gaps and opportunities for process improvement and provide guidance to management as they identify actions to increase compliance and reduce potential risks.
  • Evaluate Business Associate Agreements and relationships.
  • Provide management with a report that summarizes the assessment results and defines the current level of compliance to HIPAA information security guidelines.

Did you know a Covered Entity is any organization or corporation that directly handles Personal Health Information (PHI) or Personal Health Records (PHR)? Some of the obvious organizations would be medical facilities and pharmacies; however, most companies which provide a group health plan to their employees are also considered covered entities.

HIPAA audits by the OCR are something that all covered entities must be prepared to potentially go through. As part of the Administrative safeguards, §164.308(a)(1)(ii)(A) Risk analysis requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.

Without a risk analysis, it is much more difficult for organizations to know where they stand in terms of security. This can be detrimental not only for HIPAA audits, but also in maintaining comprehensive data security. Periodic reviews help businesses work toward maintaining HIPAA compliance and keeping sensitive data as secure as possible.

While HIPAA is arguably one of the most ethical guidelines in the industry, HIPAA compliance does not have to be difficult. By taking a proactive approach and investing in a HIPAA risk assessment, your organization can reduce threats of data breaches, giving you and your clients peace of mind.