There are two potential interpretations of the term “HIPAA assessment criteria” – the criteria that should be reviewed when carrying out risk assessments, and the HIPAA Audit Protocol. It is necessary to be aware of both interpretations in order to be HIPAA compliant, and to pass inspections completed by the U.S. Department of Health & Human Services´ Office for Civil Rights (OCR).
This article summarizes the HIPAA assessment criteria in relation to both interpretations.
Risk Assessments for HIPAA
HIPAA risk assessments are a required and ongoing process to identify security flaws and risks to the integrity of Protected Health Information (PHI). They should be carried out on a regular basis by a “Privacy Official” – a staff member or outside specialist assigned to the task by a healthcare organization of HIPAA-covered body.
Using the HIPAA assessment criteria included within the HIPAA Privacy Rule, the Privacy Official should review how PHI is managed in relation to:
- Accessing PHI
- Privacy and confidentiality
- Marketing purposes , fundraising and research projects
- The minimum necessary rule
- Sharing PHI and breach notification
- Staff training for HIPAA compliance
- Completing Business Associate agreements
The HIPAA risk assessments necessary under the HIPAA Security Rule are far more extensive. Privacy Officials need to review the administrative, physical and technical requirements of the HIPAA Security Rule, such as review and authentication controls, the security of the center in which PHI is stored, and how PHI is communicated electronically between medical staffs.
Many of these requirements are related to preventing unauthorized access to PHI while it is at rest or on the move. Due to this access to workstations, the use of personal mobile devices and message accountability come high on the HIPAA assessment criteria. Monitoring when PHI is accessed and how it is used is also important to spot security vulnerabilities and risks to the integrity of PHI.
Protocol for HIPAA Audit
The current HIPAA Audit Protocol was established by OCR following a 2012 round of audits that identified an alarming lack of compliance. Audited healthcare organizations registered numerous breaches of the HIPAA Breach Notification Rule, Privacy Rule and Security Rule – with the latter leading to the highest number of violations. Consequently, the current HIPAA assessment criteria for OCR audits focuses on seven specific areas:
- Permission to request privacy protection for PHI
- Notice of privacy practices for PHI
- Individuals’ Access to PHI
- Administrative obligations
- Uses and sharing PHI
- How PHI is changed
- Reporting disclosures
After the 2012 round of audits, the OCR issued action plans to help those healthcare groups that had failed the audit achieve compliance. A second phase of audits is expected soon and it is not anticipated that the OCR will be so lenient. Any covered entity that does not adhere to the HIPAA compliance criteria faces financial penalties, sanctions, potential loss of license and even criminal proceedings for failing to protect PHI.
Secure Messaging & Fulfilling HIPAA Assessment Criteria
Secure messaging meets the HIPAA assessment criteria by working via a secure cloud-based environment. The solution works by instigating a secure and encrypted communications network for healthcare organizations that can only be accessed by personnel fulfilling the ID authentication process.
Safeguards exist to tackle PHI being deliberately or accidentally shared outside of the network or saved to an external hard drive. Each message sent through the secure messaging platform is acknowledged with a delivery alert and by a read receipt once opened and read. This ensures that each message is received by the correct recipient(s) and allows 100% message accountability.
To adhere with the HIPAA assessment criteria, additional security measures automatically log personnel out of the network after a period of inactivity, messages have “lifespans” in place so that they auto-delete, and administrators can remotely PIN-lock secure messaging apps if a user´s mobile device is lost or illegally taken.