Healthcare organizations are focused on the health and welfare of their patients. It is the very reason for their existence. Today, patient “welfare” increasingly means protecting patient data. It is daunting task given the complexity and ever-evolving requirements. The industry and HIPAA regulations struggle to keep up with the rapidly evolving cyber thieve.
Over a year ago we setup a HIPAA Quick Check site where organizations can take a few minutes to see just how well they actually stack up to HIPAA requirements at a very basic level. It is simple and quick (10 questions) and anonymous, so no information is required to run through the check list. It was not meant to and cannot replace a true risk assessment. However it was eye opening to see the scores.
First Off, The Questions…
- Unbiased professional annual Risk Assessment completed with results documented? (Related Citation(s): 164.308 Administrative Safeguards)
- Policies & Procedures developed based on your business requirements, current per the Omnibus Final Rule? (Related Citation(s): 164.316: Policies & Procedures / Documentation Requirements)
- Initial employee HIPAA training with regular annual refresher classes? (Related Citation(s): 164.308 Administrative Safeguards)
- Enforcement of Policies and Procedures with an established Sanctions Policy? (Related Citation(s): 164.308 Administrative Safeguards)
- Implementation of a Risk Management Plan with records of compliance activities and security issues? (Related Citation(s): 164.308 Administrative Safeguards)
- Business Associate Agreement implemented with requisite suppliers per the final rule effective January 25, 2013? (Related Citation(s): 164.308 Administrative Safeguards, 164.314: Organizational Requirements)
- Established Breach Protocols and Notification Processes? (Related Citation(s): 164.308 Administrative Safeguards, 164.400-414: Breach Notifications)
- Automated vulnerability assessment of all networked devices? (Related Citation(s): 164.308 Administrative Safeguards, 164.312: Technical Safeguards)
- Protection of ePHI through encryption while at rest and in motion? (Related Citation(s): 164.312: Technical Safeguards)
- Independent 3rd party continuous security monitoring? (Related Citation(s): 164.308 Administrative Safeguards, 164.312: Technical Safeguards)
Now, The Results
Pretty scary! Especially when you consider that pretty much everyone has been breached at some point and just don’t know it. This simple Quick Check is just a small sample of what a true Risk Assessment provides. The importance of an annual Risk Assessment is that not only can you find the issues, but you can get them fixed.
I am sure that many went into the Quick Check thinking they would do pretty well. While we had a few that passed, and I doubt that they were being truly honest, if you missed any one of the questions above, you would fail a HIPAA audit! The fact that ANY person can report a violation at ANY TIME, should scare ANY health organization. All it takes is one report to start the process of an audit.
How do you feel about your HIPAA Compliance?
Want to find out? You can take the HIPAA Quick Check!