For employees in an organization who are responsible for creating policies and procedures, and/or employees who implement and supervise the HIPAA rules, a high level of training is recommended.
This would include:
- Business owners.
- Executives, managers and officers.
- HR managers.
- IT managers (including contracted employees).
- Any other employee involved with implementing HIPAA.
In addition to this, training should be provided for any employee that comes into contact with PHI, including:
- Administrative assistants and receptionists.
- Supervisors and line managers.
- HR staff.
- IT staff.
- Any other employees who may come in contact with PHI.
Organizations will need to be able to confirm that sufficient training on the HIPAA standards (that are necessary or appropriate for a workforce member to perform his/her job duties) has been provided.
See also: Data security office has bad data security.
Another part of the audit projected to be included in the phase 2 audits relates to the risk analysis and management of transmission and encryption of electronic PHI (ePHI). This is expected to be included in the audit due to the high percentage of breaches that occur during the transmission of data, and the loss and theft of portable devices.
Organizations will need to demonstrate that sufficient encryption is in place for all ePHI transmission, and that staff are trained to ensure that encryption is used end to end, across all devices.
HIPAA audit preparation checklist for business associates
To ensure that they are prepared for a potential phase 2 audit, insurers and brokers should take the following steps:
- Ensure that a comprehensive assessment of potential security risks and vulnerabilities to the organization (a risk assessment) has been completed, and be able to confirm that all action items identified in the risk assessment have been completed or are on a reasonable timeline to be completed.
- If the organization has not implemented any of the security standards’ addressable implementation standards for any of its information systems (such as the encryption of ePHI), confirmation will be required to ensure that the organization has documented the reason that any such addressable implementation standard was not reasonable and appropriate and details on alternative security measures that were implemented.
- Ensure a breach notification policy has been implemented by the organization, and that covered entities are aware of this policy.
- In addition to a website privacy notice, business associates should ensure that they have a notice of privacy practices in place that complies with HIPAA standards.
- Ensure that the organization has reasonable and appropriate safeguards in place relating to the storage of all forms of PHI, including a facility security plan for each physical location that stores or otherwise has access to PHI (in addition to any security policies that require a physical security plan).
- Ensure that appropriate levels of training have been provided to all staff who come into contact with PHI.
- Confirm that the organization maintains an accurate inventory of information system assets, including mobile devices (also applicable to a bring your own device environment)
- Confirm all systems and software that transmit electronic PHI within the organization employ encryption technology, or provide a documented the risk analysis supporting the decision not to employ encryption.
- Provide evidence that shows a full review of HIPAA security policies has been conducted to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.) to meet HIPAA compliance.
OCR may not have announced the date that phase 2 audits will begin, but officials there are likely to move forward with entity selection and requests quickly once a date is confirmed. Business associates should therefore be using this time to ensure that they are fully prepared.
See also: Small breach, big lesson in backpack.