Gearing Up for HIPAA Compliance Audits in IT, Part 4: Technical Controls

Technical controls for products that are HIPAA compliantIt’s almost the end of April. By now, all HIPAA-Covered Entities should at least be toying with the idea of starting a security risk analysis (required by law) in preparation for a compliance audit. Eventually, the U.S. Department of Health & Human Services and its Office for Civil Rights (OCR) will get to you.

In my ongoing blog series about this complex topic, I am focusing a good bit on the responsibilities of Business Associates as defined by HIPAA and HITECH because that is our biggest area of concern at Graphic Enterprises. Our office equipment – including many different models of Konica Minolta printers and copiers, as well as associated electronic document management systems – is hard at work in many health care offices throughout Ohio and Pennsylvania; documents containing PHI (protected health information) are scanned, printed, faxed and emailed every day. And, I expect to hear from those offices in the coming months, asking us to provide detailed information about how our office equipment meets the requirements of the Security Rule.

Whether you currently use a multi-function printer or copier – or are in the process of looking for a new one – as a HIPAA-covered entity you should work closely with your vendor or dealer to make sure your equipment has these critical security features:

  • Access control, either device-based or network-based. This ensures that only the people who should be looking at PHI will have access to PHI in electronic or paper format.
  • Automatic logoff, which ensures that every user is logged off soon after using the printer, minimizing accidental or intentional viewing of PHI.
  • Authentication via login at the operation panel or with a smartcard, HID card or biometrics.
  • Emergency access to data for situations where systems crash or PHI has been breached.
  • Audit logging, so you can follow the trail of all PHI that has passed through the printer.
  • Encryption to minimize PHI breaches.
  • Integrity so that you can be certain that PHI and other information is complete, accurate, valid, etc.

In some cases, your office equipment may already have these features built in, so all you have to do is make sure they are all “turned on” and functioning properly. If your copier or printer does not provide these safeguards, it’s time to look for a new model. Medical offices in Canton, North Canton, Akron, Youngstown and beyond are welcome to contact us for help with office equipment security features.

Gearing Up for HIPAA Compliance Audits in IT, Part 3: Security Risk Analysis

With HIPAA audits getting underway this year, Covered Entities are starting to ask, “What do I need to do to get ready?” As the president of an authorized Konica Minolta printer and copier company, I am asking that question, too, because the equipment we sell and service may eventually hold PHI (protected health information).

Ideas on how to get started with a HIPAA Risk AssessmentAs a Business Associate of many Covered Entities in Northeast Ohio – including hospitals, physician offices, clinics and more in Canton, North Canton, Akron, Youngstown and beyond – the team at Graphic Enterprises recognizes the importance of performing a HIPAA security risk analysis (in fact, the Security Rule requires it), as it pertains to our customers and equipment.

To get everyone in our organization on the same page, we’ve devised this introductory checklist. Of course, as we get a better grip on this whole process, this checklist will probably change somewhat. However, I hope by sharing it, we can help you get started with your own HIPAA risk analysis.

  1. Start with the basics. Under HIPAA, providers are required to review and update all policies, procedures and protections surrounding PHI. If you do not have a policy, now would be a very good time to draft one and have it scrutinized by legal counsel.
  2. The buck stops here. Designate someone in your organization to lead the risk assessment and, subsequently, the risk management process. This person should have a good understanding of both the technical (I am talking about systems) and the non-technical aspects of health care compliance.
  3. Examine the flow of PHI in the real world. Things always look good on paper, right? But, what path(s) does patient information follow in your office or organization on a day-to-day basis? There are three key areas you should be scrutinizing for threats, vulnerabilities, risks and exposures: administrative procedures, physical safeguards, and technical standards and mechanisms. The U.S. Department of Health and Human Services (HHS) provides recommendations in its document, Guidance on Risk Analysis Requirements Under the HIPAA Security Rule. Just a bit of fun bedtime reading, right? (Hint: you will want to do a deep dive into the sections that talk about addressable controls.)
  4. Create a spreadsheet. I love a good spreadsheet for keeping track of all the details of my business, and there are sure to be many, many details involved in this HIPAA risk analysis. You will need a good way to keep track of them.
  5. Carefully scrutinize business associate contracts. At the end of the day, a Covered Entity is responsible for patients and their PHI. So, you want control over any PHI you may need to give a business associate, as well as legal recourse should the business associate allow a breach. Every business associate contract should contain an indemnification provision. Again, I recommend that you seek legal counsel on this issue.
  6. Document everything. Need I say more? This will be especially important when you complete the assessment and begin the management part.
  7. Keep things fresh. This is not a set-it-and-forget-process. You may have no way of knowing when you will be audited by the OCR. Therefore, you need to make sure you complete a risk analysis and management process at regular intervals, just in case.

Let me know how your HIPAA audit preparation is going. I welcome your comments and input. After all, we are all new at this.