Breach Prevention: Developing Best Practices from OCR Audits and Enforcement Activities
AHIMA held its 11th Annual Privacy and Security Institute on October 7-8, 2017 in Los Angeles, concurrent with the national convention. As a sponsor of the event, MRO held a breach prevention session titled “Developing Best Practices from OCR Audits and Enforcement Activities.” During the presentation, Rita Bowen and I reviewed the current Office for Civil Rights (OCR) audit and enforcement landscape and provided best practice guidance based on audit and enforcement outcomes.
We discussed some of the biggest cases to date including nine resolution agreements totaling over $17M collected by the OCR. The top five compliance issues (in order of frequency) included (1) impermissible use and disclosures, (2) lack of safeguards, (3) lack of patient access to health information, (4) releasing the minimum necessary, and (5) lack of administrative safeguards to electronic Protected Health Information (PHI). Below are five best practices for breach prevention, as well as a video interview where I recap the presentation.
Video Recap: AHIMA Privacy and Security Institute
Five Best Practices for Breach Prevention
1) Create a patient data protection committee.
This committee should oversee the organization’s patient privacy compliance program and conduct quarterly risk analyses and assessments. Serving as the incident response team, each committee member should review policies and procedures annually. In addition to these responsibilities, a patient data protection committee should perform mock HIPAA audits using Phase 2 protocols from the OCR.
2) Provide ongoing education and training for workforce members.
Many breaches are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for Protected Health Information disclosure management. To avoid this from happening, organizations should provide formal training at least once a year to ensure compliance with applicable federal and state law. Provide reminders of policies and procedures through emails, posters, and patient privacy awareness activities.
3) Implement HIPAA’s security rules for administrative, physical and technical safeguards.
Make sure your organization’s risk analysis is current and complete. This is the key to avoiding any potential threats and vulnerabilities. Utilize technologies that strengthen your compliance program and access monitoring software. For HHS guidance on technical safeguards, visit their website.
4) Test the effectiveness of your compliance program.
This can be done a few ways. Through internal, external and penetration audits. Through social engineering, which involves fake phishing emails, fake phone calls and checking desks for exposed passwords. And lastly, through mock breach exercises.
5) Assess your Business Associates’ compliance.
With proper due diligence and periodic vendor assessments, healthcare providers can safeguard their organizations against breach by way of their BAs. Additionally, Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.
Complete the form below to download MRO’s eBook on breach prevention “Tips and Best Practices to Safeguard your Healthcare Organization.”