The past year had seen enterprises and individuals from various industries falling prey to data breaches and HIPAA compliance failures more so from the healthcare industry. The office for Civil Rights (OCR) has therefore taken stern steps to ensure privacy and security of data across enterprises in 2015. Since the OCR wants to ensure that enterprises, medical practitioners, their business associates and covered entities take proactive steps to ensure compliance to Health Insurance Portability and Accountability Act, they intend to use HIPAA audit Program randomly across enterprises to check for compliance levels. With HIPAA audits in the horizon, enterprises need to institute smart practices and be audit ready.

The increase in HIPAA audits is a part of a stimulus and any complaint of security breach that involves more than 500 people are sure to trigger an audit. So even employers across other industries also need to take proactive steps to be compliant to these regulations, without which they are also liable to hefty fines.

Understanding some of the common pitfalls will help enterprises to avoid the same during HIPAA audits of 2015. These mistakes include:

• Non-compliance with the Security Rule by not updating and encrypting documents and overlooking associate agreements.
• Failures to implement security risk assessment and compliance programs that help employees understand the need for security of PHIs which include vital information and payment card data.
• Non-establishment of security programs that will ensure proactive monitoring of security and performance indicators and failure to continuously train and retrain employees with critical access on documenting processes of the vital data and EHR
• Failure to update Privacy Practices
• Ignoring privacy laws that interact with HIPAA

With OCR using HIPAA audit program to randomly assess covered entities and their business associates for compliance with the HIPAA privacy, security and breach notification rules, they must have a proactive approach to audits. As a step towards this, enterprises need to ensure that their plan is documented and well communicated across the various entities across the organization.

With regulators favouring a risk-based approach, enterprises need to make use of Security and Compliance programs such as Aegify, that will help them evaluate the risks and vulnerabilities in their environments. While this will implement security controls that will address these issues it will also prepare their business to face OCR as and when it reaches them.

The post Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 appeared first on Aegify.

While the audits for HIPAA compliance have become more common, many of the healthcare providers are not still effectively prepared for an audit. These healthcare providers and their business associates may therefore face serious consequences during the next round of OCR audits. What the healthcare providers need to understand is that while the Office of civil Rights is not out to get them, they definitely expect the healthcare enterprises to faithfully take good efforts to protect their vital patient data. Even after two years of 2012 OCR pilot program audits, the covered entities and business associates need to look for more effective measures to protect themselves and not fall victims to past mistakes.

In fact with technology being integrated into the audit process, the healthcare providers need to learn from their past mistakes and be ready to face the OCR audits. The 2012 OCR audits helped to expose the gaps in the healthcare compliance such as:

• Minimum to near to nil protection with absence of even the basic security tools and methods to identify vulnerabilities leading to exposure of patient data
• Clueless about the identification of data location while allowing anywhere any time access to the data from various hand held devices.
• Unavailability of training sessions for employees or techniques for data monitoring and reporting of data breaches.

Since the department of health and human services has recorded more than 500 cases of data breaches effecting 33 million PHI’s in its wall of shame, the covered entities and their business associates need to understand that OCR audits act as a vehicle to help them efficiently monitor HIPAA regulatory compliances. However, as first step to the process, these establishments need to conduct a risk assessment to identify areas of vulnerabilities.

Nevertheless, with HIPAA dictating the need to protect PHI’s, the covered entities and their business associates need to deploy more strategic methods that will help them identify the risks faced by their data. Deploying comprehensive security management solutions such as Aegify Security Posture Management and Aegify Secure GRC will help these healthcare providers face the OCR audits with confidence.

The post Facing OCR Audits with Confidence appeared first on Aegify.

Alaska DHSS has agreed to pay a sum of $1.7 million as settlement, which is much higher than the settlement with BlueCross BlueShield of Tennessee for a breach affecting about 1 million individuals. Susan McAndrew, the deputy director of health information privacy at OCR said that this enforcement action against Alaska DHSS is not entirely focused on the stolen device but rather on the findings drawn from the investigation, which revealed that Alaska DHSS did not have adequate policies and procedures governing the safety of electronic health information. She said that the settlement amount reflects the number of potential violations and the period of time over which they occurred.

The investigation also revealed that DHSS had taken insufficient risk management measures and had not completed risk analysis. It was also found that the organization had not completed security training for employees, had inadequate device and media controls, and had not addressed device and media encryption requirements as per the HIPAA security norms. So, other than paying the penalty amount, Alaska DHSS is also required to take corrective action including reviewing, revising, and maintaining policies and procedures to ensure compliance with HIPAA norms.

Alaska DHSS however does not admit liability or wrongdoing in this case, and contends that contrary to what has been portrayed by OCR, a risk assessment was actually conducted, although it is several years old. Bill Steur the Commissioner of Alaska DHSS says that OCR’s definition of ‘current’ is not very clear. However in the light of OCR’s concerns a new risk analysis is now underway.
The Big Lesson

This incident is yet another wake-up call for all those entities that have not been giving top priority to conducting periodic risk assessments, or documenting evidence for the same. If an organization has been conducting risk assessments regularly, but does not have the necessary documented evidence, it would still be considered a major HIPAA violation. The monetary settlement in this case is significantly higher than in most other cases because this case has been considered by OCR as ‘willful neglect’.

Training employees, conducting risk analysis, and documenting evidence for compliance may all be demanding tasks. But it is important to remember that the smallest negligence or failure in this regard can threaten the very survival of a business, which is why adopting a solution like SecureGRC is all the more essential. With its comprehensive security capabilities SecureGRC can make HIPAA compliance unimaginably simple.

The post A Big Lesson to Learn from the Alaska DHSS Breach appeared first on Aegify.

So while you may be compliant with HIPAA norms already, it’s now time to demonstrate compliance to the audit team. But this may not be possible unless you have prepared yourself to meet the demands of the OCR audit team. With penalties for non-compliance surpassing the million dollar mark, it’s only wise to be alert and prepare yourself for the upcoming audit.

Document all necessary evidence. Once your entity is selected for the audit, you will have just 10 business days to respond to initial documentation request. So make sure that all policies, procedures, and practices related to HIPAA compliance are documented and ready to be presented. Begin by creating a comprehensive list of documents that may be needed to support your compliance efforts.

Identify your Business Associates. Make sure you negotiate business associate agreements with all your vendors who handle protected health information (PHI). This is crucial to avoid data breaches and to prove compliance to the audit team.

Conduct periodic risk analysis. All covered entities are required to conduct a comprehensive, periodic risk analysis to identify and mitigate risks. If you have not conducted this in the last 12 months, you should do so immediately, because the audit team may ask you to present the results of this analysis during the audit. So don’t forget to document the entire process.

Assess your compliance status. Periodically evaluating the effectiveness of your compliance program is mandatory. If you have not formally evaluated your compliance program, you should do so at the earliest, and identify gaps or pitfalls if any, so that they can be fixed before your facility is audited.

Train your staff. Educating employees about the necessity to safeguard PHI and training them to follow security protocols and procedures are essential for HIPAA compliance. If your employees have not been trained consistently, it’s now time for a refresher. Make sure you document the training process to show evidence that all relevant employees have been duly trained.

Prepare SMEs. You should identify subject matter experts (SMEs) who will be the best points of contact for the audit team. These SMEs should be able to provide the necessary details on various aspects of HIPAA implementation. So make a list of SMEs and prepare them to face the audit well in advance.

Ensure timely response. During an audit the deadlines for responding are usually very short. So make sure the right people receive communications from the OCR team. This can help you respond at the right time and make a positive impression during the audit.

While complying with HIPAA regulations is challenging enough, demonstrating evidence of compliance to the OCR team can be even more difficult. That’s why eGestalt’s SecureGRC has been designed to meet all the audit requirements apart from helping you achieve and maintain security and compliance in your entity. It comes with capabilities for compliance assessment, self-audits, and documentation, which can prove useful while preparing for the OCR audit. So with eGestalt’s SecureGRC, clearing the HIPAA audit can be a cake-walk.

The post OCR Audits Add to Your Responsibilities. It’s Warm-Up Time! appeared first on Aegify.

1. Know your compliance status. It is crucial that you have a complete understanding of the status of compliance in your entity and the gaps that exist in your security set-up. For this you need to evaluate yourself as well as your business associates through self-audits to identify inadequacies if any, and fix them in a timely manner.

SecureGRC is a fully automated and integrated tool which ensures that security and compliance requirements are met at all times. It comes with the capability for self-audits, and helps you keep track of your compliance status at any point in time

2. Manage your documents centrally. While you need to keep track of your compliance status, you also need to maintain documents supporting your compliance with HIPAA rules. This is an integral part of being compliant, and provides protection against significant legal risk. Hence, if and when the need arises you should be ready to produce documents on policies, procedures, risk analyses reports, training records and other related compliance activities.

SecureGRC is designed to create and maintain a central online document repository wherein all documented proof of compliance and security are securely uploaded. Even the compliance documents from business partners and subcontractors are uploaded into this repository, thus making it easy for you to furnish all documents requested during the audit.

3. Come up with a compliance plan. Prioritizing high to low risk compliance gaps is an essential part of preparing yourself for the audit. This enables you to determine the right plan of action and helps you align your resources accordingly.

The risk configuration module in SecureGRC helps you quickly configure the risk algorithms for regulations and risk threshold calculations.

4. Develop and implement HIPAA policies and procedures. Protecting confidentiality, integrity, and availability of health information are some of the basic requirements of HIPAA. And you should have policies and procedures to facilitate these. Compliance rules are subject to change. So you should adopt a system that is extensible to include new regulations as and when they are introduced.

SecureGRC is the ONLY product with built-in best practices, policy and procedure templates. So by adopting this solution you will have ready-to-use frameworks for every action required to ensure and maintain compliance. SecureGRC has a set of built-in policy frameworks and procedures for HIPAA, PCI, SOX etc. which are ready to use, and easily customizable that address the requirements of confidentiality, integrity and availability. So you do not have to create and implement policies and procedures from scratch. Also it comes with the capability to automatically upgrade itself to include new rules and regulations as and when they are introduced.

5. Build an IRP. An Incident Response Plan (IRP) is critical for protecting Patient Health Information because it provides the strategy for how an entity will react in case of a compromise/breach. It is important for you to demonstrate that you have an incident response team, plan, and procedures to ensure timely and consistent response in case of any unforeseen breach incidents.

The Report of Compliance and Risk reports point to the need for managing vulnerabilities even before meeting with a security incident. SecureGRC features easy to adopt and ready to use compliance frameworks, as well as context-based inference engines. It comes with a built-in best practices library which explains how to resolve issues if any. These best practices are in line with compliance requirements and can therefore serve as a valuable foundation on which you can build your IRP.

6. Train your staff. ‘People risk’ is the biggest risk in every organization because employee negligence is often the main cause of information breach. So training your employees is critical to achieving complete security and compliance. All employees should be made aware of the security protocols to be followed while dealing with PHI.

SecureGRC has been designed to cover vulnerabilities in the human aspect of security. Access control is purely role-based. It has automated controls that provide reminders to your staff for addressing compliance related tasks in an optimal manner, manage exceptions, and allows you to compare user access, check for appropriateness in access rights, and tag discrepancies if any.

7. Analyze and manage risks. To ensure that your security policies and procedures are in place, and to make sure your compliance requirements are met in an on-going basis, it is important that you identify high-risk areas and analyze them, in order to devise measures to manage evolving risks in the long run.

SecureGRC provides end-to-end automation for all your risk management needs supported by inline policies, best practices, citation guidance, risk management, and implementation briefs. It simplifies risk management by identifying high-risk areas and proactively recommends strategies to mitigate risks at the right time.

8. Document all security and compliance activities. Demonstrating compliance is not a one-time event. It is an on-going process. While it may not be possible to completely prevent unauthorized exposure of data, you should be able to demonstrate that you have been committed to protecting PHI and ensuring compliance. And for this, you need to maintain an up-to-date account of all security and compliance activities.

SecureGRC comes with the capability for periodic audits to continuously monitor security and compliance and generation of risk reports and reports on compliance, to effectively identify vulnerabilities and initiate appropriate remediation measures.

9. Conduct self-audits at periodic intervals. This activity can help you fill gaps in your privacy and security set up. A proactive audit of your entity as well as your associates’ can be instrumental in identifying problem areas and mitigating risks.

SecureGRC offers this capability. One of the most salient features of this solution is its ability to conduct self-assessments/audits at regular intervals to determine the status of compliance in your organization. In the ever-changing regulatory landscape, this feature can be very helpful in ensuring ongoing compliance and security.

10. Get expert assistance. By doing this you can get an outside perspective of your compliance status much before the OCR audit. Also, an outside vendor can offer valuable expertise, augment your resources, and help you prepare for the audit better.

SecureGRC has been designed by eGestalt’s team of qualified experts who have vast experience in the area, and are well-aware of the challenges you face with respect to information security and compliance. With built-in security best practices, implementation brief, citation guidance, policies, and risk parameters, SecureGRC provides an inside audit of the state of security and compliance. So with SecureGRC to back your compliance initiatives, you can gain an upper hand on governance and compliance, and face any audit with complete confidence.

The post Preparing for the OCR Audit? Find out How Aegify Can Help appeared first on Aegify.

While this has complicated matters of information security on one side, on the other, rising fines and penalties for violation of HIPAA rules have left healthcare entities totally hassled. Earlier this year Cignet Health paid a heavy price of $4.3 million for denying patients access to medical records, and Massachusetts General was fined $1 million for loss of PHI.

Although these incidents clearly demonstrate that an incident of breach is bound to be followed by an OCR investigation, you should remember that an OCR investigation does not necessarily mean loss of reputation. Rick Kam, President and Co-Founder of ID Experts, and Christine Arivelo, Director of Healthcare Identity Management and founding employee of ID Experts share 3 tips to survive and OCR breach investigation:

1. Avoiding a breach by being prepared: Preventive action is always better than corrective action, and only more so, when it is comes to preventing a security breach. It is therefore important that you strive for ‘voluntary compliance’ or what OCR calls a ‘culture of compliance’. While HIPAA guidelines have been around for several years, very few organizations have devised and implemented a compliance plan to prevent security breaches. A critical element in compliance planning is an Incident Response Plan (IRP), which comprises of a strategy for how providers will react to an incident.

   In most cases, organizations are already doing the right things, but fail to document them. Hence in the face of investigation they have very less evidence to defend themselves. An IRP helps create a defensible response by allowing you to react to complaints in a documented, methodical and timely fashion.

2. Educating the investigator: If your organization is under scrutiny by OCR the best approach would be to make the investigator’s job easy with a timely response. It is important to act defensibly and not defensively. The key to surviving an OCR investigation is creating such a defensible approach.

   This would mean demonstrating consistency in the way you assess risk, document findings, and execute incident response; preparing yourself to handle unexpected requests for information and access; compiling information including policies and procedures limiting access to information, evidence of notification to media, copy of notice of privacy practices, evidence supporting action taken to prevent recurrence, etc. These can come a long way in easing the investigation process.

3. Seeking help: Since investigators also aim to do the right thing just as you do, on most occasions they turn out to be a valuable asset during the investigation. Hence it may be helpful to call the investigator and get a baseline of expectations. You can even express your concerns to the investigator and ask questions. Most of all, you should show empathy for investigators and express your willingness to help them through the investigation by providing timely, accurate information.

Ensuring information safety is one of your primary responsibilities as a healthcare provider. While an automated HIPAA compliance software or expert professional help can come a long way in ensuring security and compliance, in the event of breach an OCR investigation becomes unavoidable. But by preparing yourself with a comprehensive IRP, co-operating with the investigator, and by seeking the investigator’s guidance in the process, you can not only survive the investigation, but also clearly demonstrate your determination to be compliant.

The post How to Survive an OCR Investigation appeared first on Aegify.