yearly HIPAA compliance audit. This can
be done in-house, or your can invite an
external consultant to assist you. With the
advent of the Omnibus Final Rule in January 2013, the OCR has added the business
associates to this requirement of a yearly
internal compliance audit.
You can do your yearly RA as the first
step in this yearly audit. Additionally, this
self-audit permits you to know and keep
all the HIPAA documentation in one place,
one electronic file, or to have an inventory of
where and who keeps the documentation.
One of your authors had a client go
through an OCR audit in round 1 and
another client in round 2, and they both
have stated that without such knowledge
of where all the documentation is may
cost you up to 200 - 300 man hours to find
and validate your organization’s current
HIPAA documentation.
6. mHealth
mHealth is an abbreviation for mobile
health, a term used for the practice of
medicine and public health supported by
mobile devices.
The real question is what HIPAA pri-
vacy and security requirements need to be
in place for mobile communication tools,
telehealth and wearable devices, and what
a breach is in each of these areas. For exam-
ple, does a ‘FitBIt’ need to meet the HIPAA
privacy and security requirements? It does
collect what would be PHI if the device
was provided to you by a HIPAA covered
entity or business associate. Insulin pumps,
Right now the OCR is very concerned
about mobile devices and wants them
included in any RA, but it makes sense to
include all telehealth services, mobile clini-
cal tools that collect PHI, and any wearables
provided by your office or hospital in your
yearly RA. All these areas also need to be
part of your enterprise training.
7. Clouds, Offshore,
and Remote Access
Cloud, offshore work, and remote access are
additional areas where there is blurring in
healthcare. Today, cloud is often being used
unknowingly, and creative doctors and
other staff are creating security risks and
vulnerabilities of which you have no knowledge until you do an audit or have an event.
Offshore work and remote access are in a
category by themselves. For offshore work
you need a good policy and business associate agreement that includes a cybersecurity
insurance provision and a provision where
the offshore entity will submit to a court’s
jurisdiction even if they have no USA
parent organization. We suggest that the
insurance be with an American insurance
company that you can reach if the offshore
entity refuses to submit to state or federal
court jurisdiction.
Another thing to do for both offshore
and remote access onshore workers is to
devise a survey to make sure they are not
working in areas that are vulnerable to
unauthorized access. Again, a strong set of
polices and periodic audits must be in place
to demonstrate evidence of due diligence.
Include all of the above in ongoing risk
assessments and mitigation.
8. Business Associate (BA)
Management
The first step in BA Management is to
develop a BA inventory and risk rate it by
tiers (high, medium, and low).
Next, make sure your BA agreement
template is up to date according to the
Omnibus final rule, as well as your business needs.
Since many covered entities, and business associates, have hundreds of BAs, the
process to assess them becomes a major
project. The best time to assess them is precontract. Depending on the risk tier and the
type of BA, there are key questions that
should be asked. The authors recommend
the CEs use an electronic central repository
to manage the tasking and management of
BA compliance, and for review and follow-up. One assessment question / request can
be to attach an executed BAA. Keeping all
answers and evidence documentation organized in one electronic repository for each
BA is a good way to demonstrate due diligence and to learn where your organization
could be at risk for a breach caused by a BA
due to weak controls over your protected
health information.
Insulin pumps, pacemakers and other such devices have
computer chips in them that collect medical information
of an individual patient, so they may need to meet the
HIPAA privacy and security requirements.