Lessons Learned from 2016 HIPAA Phase 2 Audits

by Sarah Harvey / May 26th, 2017

Now, with more than 200 Phase 2 HIPAA desk audits completed, Devin McGraw, Deputy Director of the Department of Health and Human Services’ Office for Civil Rights, is encouraging healthcare organizations to take a look at lessons learned from the completed desk audits to prepare for future HIPAA audit enforcement.

Understanding and navigating HIPAA audit enforcement has been on the minds of healthcare professionals for several years. Many covered entities and business associates have struggled to know what to focus on and in which areas they are lacking safeguards. Devin McGraw made an exclusive address at HIMSS17 to share with the healthcare industry the top findings from the 2016 Phase 2 HIPAA audits.

Top 8 Lessons Learned from Phase 2 HIPAA Desk Audits

Let’s look at the top 8 lessons learned from the Phase 2 HPAA audits and make sure you have all of these things in place before you’re audited by the OCR.

• Lack of Business Associate Agreements

HIPAA law mandates that you have a signed agreement in place with any contractor or subcontractor who is considered a business associate. This means any vendor or third party that has access to protected health information (PHI) is required to sign a contract pertaining to the protection and use of that PHI. This also applies to any business associates using subcontractors.

• Incomplete or Inaccurate Risk Analysis

An incomplete or inaccurate risk analysis has still been a prevalent issue, mainly for organizations who are underestimating their full scope and leaving out major systems. Don’t forget that the HIPAA risk analysis is a risk-based, prescriptive approach to HIPAA compliance and should be step number one for any organization working towards HIPAA compliance. KirkpatrickPrice has published numerous resources for a step-by-step approach to performing a HIPAA risk analysis.

• Failure to Manage Risk

Once your risks have been identified, it’s important to mitigate and properly manage those risks. If there are un-addressable risks, then be sure to document those and what you will be doing to manage those risks in the meantime and fully document your remediation plan. Risk management is a critical component of any information security program.

• Lack of Transmission Security

Encrypt everything! Any and all electronic transmission of protected health information (PHI) MUST be encrypted. No exceptions. And as always, if there is something that for whatever reason is not addressable, then it needs to be formally documented along with ways that you are able to address and mitigate that particular risk.

• No Patching of Software

We all saw the wake of WannaCrypt in the headlines this month and how not updating critical patches can lead to a devastating loss of business and operability. WannaCrypt targeted more healthcare organizations than any other kind of organization, so don’t learn this lesson twice! Patches must be up to date, as you will become an easier target with outdated software and patching. If there is a critical piece of software that you must use that comes with outdated patches, be sure you’re documenting that and what you are doing to address any associated concerns.

• Insider Threat

Whether your organization is small or large, it’s always important to have employee termination policies clearly defined, in place, and to ensure that you’re following them. Do you remove employee access from terminated employees? Are you using default passwords that can be easily cracked? Don’t fall victim to insider threat.

• PHI Disposal

What good are strong administrative and technical safeguards if you’re exposing the low-hanging fruit? Improper disposal of PHI was a common issue found in the Phase 2 HIPAA audits. Make sure you’re properly disposing of PHI and don’t leave anything available for dumpster divers.

• Lack of Incident Response Plan

Another common finding from the Phase 2 HIPAA audits is insufficient backup and contingency planning. With the risks of ransomware, we must not only be focusing on prevention but also have an Incident Response Plan tested and ready to deploy if, and when, necessary. Regular data backups also go hand-in-hand with incident response as a way to help minimize the damage from a breach or malicious attack.

Preparing for HIPAA audit enforcement may seem like an overwhelming task. Start with a risk analysis and don’t forget these common 8 findings when developing your HIPAA compliance program. If you have any questions or would like help preparing for Phase 2 HIPAA audits, contact us today.