The most recently available HIPAA audit protocols were made public by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in March 2013 when the Final Omnibus Rule brought in provisions within the Health Insurance Portability and Accountability Act (HIPAA) to copperfasten the integrity of protected health information (PHI).
The HIPAA audit protocols are extremely detailed – including 169 modules which analyze the processes, controls and policies relating to privacy, security and breach notification. Not every one of the modules will apply to every HIPAA covered entity – the areas looked into will depend on the entity´s nature of business – but it is as well to be familiar with the areas at which the protocols for auditing HIPAA covered entities are focused on:
- The HIPAA Privacy Rule – with a special focus on notice of privacy practices for PHI, patients’ rights to ask for privacy protection for PHI, the access of individuals to PHI, administrative requirements, uses and sharing of PHI, the amendment of PHI, and the accounting of disclosures.
- The HIPAA Security Rule – mainly the requirements established by the administrative, physical, and technical safeguards. These three safeguards cover all aspects of how PHI is stored and sent including risk assessments and the establishment of messaging policies.
- The HIPAA Breach Notification Rule – specifically how to see if a breach of PHI has taken place, on what occasions it should be reported to the OCR, who else the breach should be made known to and what to do in the event of a breach by experienced by a Business Associate.
Many of the new protocols for auditing HIPAA covered entities were established due to the growing volume of personal mobile devices in the workplace. One study claimed that more than 80 percent of physicians use a personal mobile device to access or send PHI. The OCR reports that the loss or theft of a mobile device is the leading influence in patient data breaches occurring.
HIPAA Audit Protocols Adherence
The HIPAA audit protocols within the Security Rule require that:
- Safeguards exist to prevent unauthorized physical access to PHI stored on hardware devices (including USB flash drives)
- The communication of PHI is safe
- Policies are put in place to inform employees of how PHI should be communicated
- Sanctions are applied if a breach occurs
The simplest way in which to comply with the HIPAA Security Rule – and also the HIPAA audit protocols – is with the adaptation of secure messaging solution. Secure messaging solutions maintain encrypted PHI in a cloud based system, limit the communication of PHI to within a group’s private network and has administrative controls to review usage of the solution.
Secure messaging solutions are easy to adapt – as the apps through which authorized users access and share PHI have a familiar text-like interface that users of commercially available messaging apps will recognize. Additionally, as secure messaging solutions use cloud based “Software-as-a-Service” platforms, there is no need to buy servers or hardware, or to strain the resources of an IT department to put in place a complicated software program.
Other Benefits of Secure Messaging Solutions
As well as safeguarding the integrity of PHI and helping healthcare groups meet the requirements of the protocols for auditing HIPAA covered entities, the adaptation of secure messaging solutions has produced advantages for healthcare groups in terms of increased productivity and the level of healthcare being sent to patients.
Delivery alerts and read receipts are just two of the features which help to cut out phone tag and allow medical professionals to allocate their resources more productively. The ability to prioritize messages within one inbox permits physicians to streamline their workflows and handle urgent healthcare matters before responding to less important issues.
Other advanatages of implementing a secure messaging solution to comply with the requirements of the HIPAA audit protocols include:
- Efficiently operated patient admissions
- Increased message accountability
- Quicker delivery of test results
- Safe collaboration regarding a patient’s treatment
- Effective escalation of patient worries
- Speedy confirmation of prescription orders
Outside of a physical medical facility, emergency personnel and on-call doctors can be sent patient data on the go with secure messaging. Home healthcare workers and community nurses can ask physician consults with secure messaging, and telemedicine practitioners can supply treatment for their patients from distance without risking a breach of PHI.
Coming OCR Compliance Assessments
OCR announced, in February 2014, that it was to survey 1,200 healthcare bodies and Business Associates as the initial step in the next phase of HIPAA audits. The survey will collate data relating to patient visits, the use and sending of PHI and business revenues in order to review the “size, complexity and fitness of a respondent for an audit”.
In the preceding round of compliance assessments, many HIPAA covered entities did not meet the protocols for auditing HIPAA covered entities as they were unsure of the requirements. Those still unaware of the HIPAA audit protocols should closely consider the OCR’s website and research performance criteria.
With the OCR having to power to sanction substantial fines on covered entities which fail inspection by OCR auditors should another breach of PHI occur, it is vital that healthcare groups and Business Associates make themselves familiar with the measures they have to take to safeguard the integrity of PHI and pass an OCR compliance assessment.