Guest Column | March 28, 2017

OCR Audits To Focus On Risk Assessments, Business Associates

HITO Manolito Jones, LockPath

By Manolito Jones, Healthcare Solutions Team Leader at LockPath

By any estimate, 2016 was a terrible year for healthcare data breaches and the numbers that back that claim up are staggering. There were 329 breaches involving 500 or more records reported to the OCR — 81 of which compromised more than 10,000 records.

Hacking is the main cause of these breaches, and providers are the primary targets. Research based on OCR and HHS records indicates healthcare cybersecurity attacks increased 320 percent over the prior year and the total number of patient records breached in provider-targeted attacks increased 181 percent (9.5 million records).

Data breaches, ransomware, and medical device tampering are constant threats to hospitals, clinics, and health plans. Cybercrime isn’t going anywhere, and the OCR has clearly signaled their audit, investigation, and enforcement activities will continue to expand.

In unstable times, it’s important to know where risk lies and how it can be mitigated. As healthcare organizations work to optimize their internal processes and compliance programs to prepare for audits, it will be important to set strategic priorities informed by enterprise-wide risk assessments. Addressing cyber security and HIPAA compliance in tandem through integrated risk management and data governance activities is the most efficient and effective way to build business resilience and protect patient data.

HIPAA Audit Preparation: Where To Begin
The OCR is in Phase II of its HIPAA audit program which includes covered entities and business associates. The OCR will also investigate providers and associates after a data breach and upon receipt of legitimate consumer complaints, and media reports allege HIPAA violations may trigger a compliance review. All of these agency actions, as well as enforcement-related follow-up, will require providers and associates demonstrate they have thoroughly assessed risks to data security and privacy across the organization. Such assessments help covered entities ensure HIPAA-mandated physical, technical, and administrative safeguards are in place and functioning as intended.

The management of Protected Health Information (PHI) is the core focus of OCR HIPAA audits. Providers should begin compliance and audit preparations by making sure they know where and how every bit of PHI is stored and transferred. Databases, cloud storage and services, mobile devices, and laptops should be inventoried and evaluated for vulnerabilities, tight access management, strong passwords, and proper encryption protocols. Any vendors that process patient data are considered Business Associates (BAs). Covered entities must perform risk assessments on their BAs and establish formal data governance agreements (BAAs) with them. Failure to do so risks OCR enforcement actions, including penalties. The HIPAA Newsroom is not a place you want to see your organization publicized.

It’s a mistake to regard required compliance activities as discrete tasks or boxes to be checked off. Risk assessments and related monitoring should be an ongoing process. When providers implement new technology, cloud services, or processes that touch PHI, they should review and update their assessments. Again, failing to conduct these evaluations, follow through on remediation, or document related activities could lead to larger fines in the event of a data breach.

The OCR examines assessments for completion, accuracy, and currency. To help guide providers and BAs through the process, the Office of the National Coordinator for Health Information Technology (ONC) has provided a Security Risk Assessment Tool. Comprehensive best-practice risk frameworks like NIST and the ISO-27000 series are also helpful in ensuring your program is up to par.

How To Efficiently Manage Compliance And Risk
Executing the processes required to meet all these obligations is a true challenge for organizations of all sizes. Comprehensive governance, risk management, and compliance (GRC) solutions automate and systematize cyber security and internal audit tasks across the enterprise. These cloud-based solutions help centralize data and documents, monitor workflow and remediation, and manage assessments. GRC platforms reduce manual processes, deduplicate management efforts, and centralize information while increasing rigor and thoroughness.

The compliance team can use a GRC system to map the risks identified in assessments to policies and authoritative sources (laws, regulations, and standards), and controls, strengthening the protective connections between cyber security, data governance, and risk management.

Because the OCR requires providers and BAs to respond to audits within a short time, it is paramount to have documentation up-to-date and organized. GRC solutions are particularly valuable in this respect. All activities, including risk assessments and analyses, policy documents, and BAAs, are tracked and documented in a central repository, making it easy to produce dashboards and reports.

The ability to gather, analyze, and distribute documents enterprise-wide is essential to creating a comprehensive risk profile. Using purpose-built GRC solutions to integrate security and compliance programs also fosters greater collaboration and accountability. The enhanced efficiency and visibility enabled by these platforms makes it easier to identify gaps in PHI protection and processes that need to be fixed. These interventions not only help to ensure audit-readiness, they also reinforce security solutions and streamline routine operations.

The challenges ahead are extraordinary. The integrity of the healthcare industry, public health outcomes, and individual privacy and safety are all at stake. Data breach incidents are inevitable, but strong risk management and data security programs enable intelligent incident response to contain damage and protect patients and bottom lines. Organizations with mature risk management programs will be the most resilient, and most prepared for OCR audits, all the while delivering secure and effective services to their patients and clients.

About The Author
Manolito Jones is the Healthcare Solutions Team Leader for LockPath’s healthcare team. With 15 years in the healthcare and pharmaceutical industries, Jones’ focus is on helping healthcare organizations realize value through technology.