View Our Article in PDF×
The Office for Civil Rights (OCR) Breach Portal reported that more breaches occurred in the first six months of 2018 than in all of 2017. About four million records were exposed in the first half of 2018, according to the OCR, which is one million more than had been reported for 2017. These breaches also set records for the number of individuals affected. Catie Heindel, JD, CHC, CHPC, has a long history of assisting clients with Health Insurance Portability and Accountability Act (HIPAA) privacy and security issues. She makes the point that regulatory compliance is not confined to the Federal Government; there are corresponding privacy protection laws in all of the states as well. However, they vary greatly from one jurisdiction to another. This is the result of increased enforcement, along with growing amounts in penalties for data breaches. Ms. Heindel further notes that compliance officers are focusing more on this area than ever before. Results from the Ninth Annual Healthcare Compliance Benchmark Survey conducted by SAI Global and Strategic Management Services found that nearly two-thirds of respondents cited HIPAA security/cyber-security as their highest concern, and over half of the respondents placed HIPAA privacy as their highest concern. Also, 75 percent of respondents reported the compliance office as having responsibility for HIPAA privacy, and nearly a third reported that the compliance office had responsibility for HIPAA security. Ms. Heindel offered a number of checklist items that may be helpful in guarding against the occurrence of data breaches:
- Has there been a recent comprehensive security risk and vulnerability assessment?
- Has a review of both OCR and state regulations regarding data security been conducted?
- Are the breach assessments procedures up to date?
- Do all the identified Business Associates have up-to-date contact information and services they supply?
- Are the privacy and security policies and procedures up-to-date and being followed?
- Are all laptops and mobile devices (including cell phones and flash drives) registered?
- Have all laptops and mobile devices been evaluated for appropriate security controls?
- Have all laptops and mobile devices been encrypted?
- Do all systems and software that transmit electronic Protected Health Information (PHI) employ encryption technology?
- Are policies and processes in place to deal with any breach of PHI?
- Are Security Rule encryption and decryption requirements being met?
- Are facility access control processes in place?
- Have Business Associates been trained on breach reporting to Covered Entities?
- Have action items identified in risk assessments been completed in a timely manner?
- Are policies and procedures that address uses and disclosures of PHI in place?
- Are reasonable and appropriate safeguards for paper and verbal PHI in place?
- Does the workforce receive regular HIPAA training, including how to recognize incidents?
- Is there an inventory of information system assets, including mobile devices?
- Are security plans for all facilities that store or otherwise have access to PHI in place?
- How are data incidents reported internally?
- Does staff know how to report incidents to the right people?
- Has there been an independent security risk assessment conducted by outside experts?
- Are mobile devices monitored to determine if they are being used to exchange electronic PHI?
- Are proper authentication, encryption, and physical protections in place that secure electronic PHI?
- Have mobile device users been properly trained on security procedures?
- Is there continuous monitoring and measurement of HIPAA compliance efforts?
For more information, Catie Heindel can be reached at firstname.lastname@example.org or (847) 707-9830. See also: https://compliance.com/how-to-prepare-for-ocr-audit.