While working directly with healthcare organizations on the challenges that HIPAA and HITECH present, Tony Kong, Director of the West Monroe Partners healthcare practice, believes there are reasonable compliance steps that organizations can take in preparing for audits.

Kong said West Monroe Partners, a business and technology consulting firm, works with a specialization of healthcare providers that are portfolio companies of private equity firms. He told HealthITSecurity.comthat there’s some lack of compliance awareness in healthcare, especially among smaller organizations. Some organizations may think they’re too small to be targeted by the Office for Civil Rights (OCR) in a breach investigation or audit. But, Kong explained, the fact of the matter is that a number of recently settled cases that proved it doesn’t matter what the size of the organization is and all covered entities are required to comply with HIPAA and HITECH.

And for some organizations that have been in the business for 5-8 years or less, Kong said that West Monroe Partners has learned that they’ve had to make IT budget tradeoffs in terms of what types of investments they’ve made in order to grow their platform instead of securing and protecting their network infrastructure.

It’s unfortunate that these organizations have to make budget tradeoffs to allocate funds toward other initiatives instead of securing protected health information (PHI). With the new HIPAA Omnibus provisions and the level of compliance, we’re seeing organizations take steps such as encrypting all laptops and mobile devices and implementing mobile device management policies. So we’re seeing a lot of activity, but even they would admit that they’re a bit behind and need to step up to meet regulatory requirements.

Another issue, Kong added, is that most IT leaders that double as security personnel within healthcare organizations are excellent software developers who have built out infrastructure or worked with program management, but now they’re being asked to be the security directors as well. With that in mind, Kong said he encourages some of the security specialist companies to reach out to small providers and come in and do an initial assessment and work with outside legal counsel. “The other good thing is that there a lot of other good tools out there that can help them achieve a level of compliance, such as risk assessment and monitoring tools,” he said.

OCR audits

It’s no secret that OCR is preparing its 2014 HIPAA audit program and, while advising healthcare organizations on how to approach potential audits, Kong said that OCR likes to use the phrase “readable set of steps” when referring to expectations of providers. This means the organization has taken a reasonable set of steps around administrative, technical and physical controls as a first step toward its securing PHI.

From an administrative perspective, OCR will look at the policies and procedures that the organization has in place or, for instance, whether all employees have taken HIPAA awareness training. Are those published policies easy to find for employees if they have questions? Do they know who the security and privacy officers are? And when looking at technical controls, they’ll be looking at encryption tools such as Bitlocker on Windows 7. Those are some of the key indicators OCR will be looking for as it takes its first initial steps in auditing.

Additionally, OCR will look at endpoint encryption for laptops or desktops, as well as the type of security protections organizations have around the perimeter of their networks. A lot of the firewall technologies these days come with affordable intrusion prevention and detection systems.

There should also be some log monitoring and processes put in place so an organization knows, for example, if someone tried to penetrate its network. And, internally within their respective systems, virtualization and security policies definitely help, but there’s also good encryption technology that’s built into storage devices now. The biggest debate with a lot of CIOs and CTOs is whether encrypting their databases will affect the databases’ performance because they can’t encrypt every field, which would cause a degradation in performance.

THIS ARTICLE: has not been modified from source. The sole purpose of this article is for your research and to augment your productivity. The article is intended for educational purposes only.
Source: http://healthitsecurity.com/2014/03/11/small-organization-steps-toward-2014-hipaa-audit-readiness/