Gearing Up for HIPAA Compliance Audits in IT, Part 7: Teamwork

Teamwork is essential to prepare for a HIPAA auditIn my final blog post for this HIPAA compliance audit series, I want to touch on a non-technical topic that will undoubtedly be crucial for any HIPAA-Covered Entity – the need for teamwork among the diverse individuals or departments responsible for ensuring compliance.

Today’s “traditional” audit teams must involve both technical and non-technical experts, and the HIPAA/HITECH regulations demand no less. In most cases, medical professionals, techies and even Business Associates must sit down together and examine the complete PHI (protected health information) trail within the organization and then hammer out numerous technical security decisions for each and every standard. That is no easy task.

So, if this process is staring you in the face, I recommend assembling a risk management team that contains members who are both knowledgeable about all the aspects HIPAA and HITECH and are capable of working together successfully. Hopefully, this is a somewhat easier task.

As with any major project, preparation for a HIPAA compliance audit can be broken down into challenging but feasible steps.

  1. Select a team leader. This person should have a good grasp of your health-care organization and be able to oversee and integrate compliance and IT issues.
  2. Set reasonable, attainable goals for the team. Where do you need to be with this project in three months, six months, a year? Everyone needs to be on the same page and working towards the same objectives.
  3. Map out the PHI trail. Keep your eyes fixed only on the processes and equipment that are directly involved in the required security risk analysis.
  4. Pinpoint the gaps. Where are your risks along the PHI trail? Where are things well under control? This will give your group further focus.
  5. Map out strategies that sync between compliance, IT and vendors. This is where diverse teams often experience the most conflict. It’s important to make sure compliance, IT and business vendors are pulling together toward the team’s goals. There are numerous, low-cost resources that can help with this process, including spreadsheets (the old standby), mind mapping programs, project management tools and more. You may even need more than one!
  6. Measure progress and tweak strategies, if necessary. You will need to see where things stand at regular intervals (no less than monthly) to ensure that you hit your security goals.

If you are getting ready to embark on this HIPAA-compliance process, I hope this blog series has been helpful to you. As with any government-mandated audit, you will encounter many complexities, but, by assembling a good risk management team, you can take your first steps toward compliance with confidence.

If, during your analysis, you determine that a new copier or printer would better protect PHI, contact us at our North Canton headquarters. We are a Business Associate you can trust.

Gearing Up for HIPAA Compliance Audits in IT, Part 6: Document Management

How to prepare for HIPAA audit with document management and EHRsA good electronic document management system is an essential part or complement to an electronic health record (EHR), as well as a copier or printer. Let us be honest – as much as you might want to deal only with e-documents, you will need to handle paper for the foreseeable future. So, if you are facing a HIPAA audit, it is essential to make sure that paper records are handled with as much care as digital ones. In my continuing series on preparing for these new HIPAA audits, I have invited Dennis Porter, our document management expert, to cover issues related to document management, EHRs and PHI (protected health information).

If I put myself in the auditor’s shoes, there are several things I would look at closely when it comes to document management processes and PHI security in health care.

  • Access to PHI. Best practice is to lock down employee access based on network ID – which is the same security as a domain login. So, when a person logs into the EHR or document management software, they are only granted access to very specific pieces of data. Make sure whatever system you are using allows you to restrict access at the category, folder and even document levels.
  • Audit Trail. The best document management systems and EHRs will provide documentation of all actions associated with documents, categories and folders in real time. This audit log will let you see who looked at a document, who changed it, who printed it, who emailed it, etc. And, if someone intentionally or accidentally deletes a document, the system administrator can recover it easily.
  • Server Management Component. This is the system’s security roadmap, and you should look at it carefully to ensure login permissions are right for who is allowed to view, modify, email and print PHI and  other documents. If someone doesn’t have access to a particular folder, then that person should not even be able to see that folder when logged into the document management system.
  • Second Level of Security Passwords. Many good document management systems will offer another level of password protection above the network login. In most business environments, this isn’t necessary. But, if a HIPAA audit is imminent, it’s good if you have this avenue to explore.
  • Internal Policies. These medical document management and EHR security safeguards are only as good as your network administrator and his or her network security. And, they are only as good as your internal policies and how seriously employees take them. For example, if people don’t think about logging in or out before sharing a work station, then you have a bigger problem that no e-security measure is going to fix.

Let me mention that not all document management software is created equally. Some developers – even potentially those who design EHRs – add this facet as an afterthought, a clunky add-on to their software.

You may be tempted to purchase the document management system because, on the surface, it goes along with systems you already have. Before you do that, I encourage you to try it out. If it’s not user friendly, look instead for a good universal document management system that can work with your current program. This can save you lots of headaches down the road, especially if an auditor is knocking at your door.

If you’re a medical provider in the Canton, North Canton, Akron or Youngstown area and need advice on good electronic document management practices, contact us.

Gearing Up for HIPAA Compliance Audits in IT, Part 5: Printer Log Management

Cleaning PHI from your copier and printer hard drivesI know one of the biggest concerns that HIPAA-Covered Entities may have right now – aside from the HIPAA audit itself – is how to ensure that PHI (protected health information) isn’t stolen or stored in a manner that doesn’t comply with the law.

As I continue my series on how to prepare for a HIPAA audit, I’ve invited John Sedlak, our manager of network and managed print services, to explain what you can do to protect PHI that may exist in the logs on your copiers and printers.

There are two ways to handle multi-function printer logs: proactively and reactively. Obviously, being proactive is always better, but sometimes you just need to know how to implement a fix after the fact, especially if an audit is in the works.

The proactive approach to handling electronic PHI:

If you’re going to purchase a new printer or copier, ask for a data security overwrite kit. Some dealers will automatically include this and others offer it as an option.

The overwrite kit “writes zeroes.” What that means is, each time you scan, print, copy or fax information, the application will scrub the hard drive (temp files), replacing that document’s associated binary code (ones and zeroes) with all zeroes, effectively erasing the document from the system’s memory.

If an auditor is looking at this feature (and you can be pretty sure they will), you’ll need to show them proof of purchase, along with a print-out of your system’s configuration page that shows how the overwrite kit works.

The reactive approach to handling electronic PHI:

If your multi-function printer does not have an overwrite kit, you are leaving yourself somewhat vulnerable. Although it’s not easy to steal the information from the copier’s hard drive (crooks need special forensic software to interpret the data), you still want to make sure sensitive information is protected and/or truly deleted. In fact, you’ll probably need to prove this, which requires “hard drive sanitization.”

When you’re ready to get rid of a printer or copier, take it to a facility (hopefully, your dealer provides this service) where they follow strict guidelines for “scrubbing” hard drives properly. Then, be sure you get a letter or certificate of sanitization from the facility that clearly documents this. When the auditor asks, you can show them this proof.

If your office is located in Northeast Ohio (Canton, Akron, Youngstown and beyond) or Western Pennsylvania and would like to learn more about the data overwrite kits and hard drive sanitization services we offer, contact us for more information.



Gearing Up for HIPAA Compliance Audits in IT, Part 4: Technical Controls

Technical controls for products that are HIPAA compliantIt’s almost the end of April. By now, all HIPAA-Covered Entities should at least be toying with the idea of starting a security risk analysis (required by law) in preparation for a compliance audit. Eventually, the U.S. Department of Health & Human Services and its Office for Civil Rights (OCR) will get to you.

In my ongoing blog series about this complex topic, I am focusing a good bit on the responsibilities of Business Associates as defined by HIPAA and HITECH because that is our biggest area of concern at Graphic Enterprises. Our office equipment – including many different models of Konica Minolta printers and copiers, as well as associated electronic document management systems – is hard at work in many health care offices throughout Ohio and Pennsylvania; documents containing PHI (protected health information) are scanned, printed, faxed and emailed every day. And, I expect to hear from those offices in the coming months, asking us to provide detailed information about how our office equipment meets the requirements of the Security Rule.

Whether you currently use a multi-function printer or copier – or are in the process of looking for a new one – as a HIPAA-covered entity you should work closely with your vendor or dealer to make sure your equipment has these critical security features:

  • Access control, either device-based or network-based. This ensures that only the people who should be looking at PHI will have access to PHI in electronic or paper format.
  • Automatic logoff, which ensures that every user is logged off soon after using the printer, minimizing accidental or intentional viewing of PHI.
  • Authentication via login at the operation panel or with a smartcard, HID card or biometrics.
  • Emergency access to data for situations where systems crash or PHI has been breached.
  • Audit logging, so you can follow the trail of all PHI that has passed through the printer.
  • Encryption to minimize PHI breaches.
  • Integrity so that you can be certain that PHI and other information is complete, accurate, valid, etc.

In some cases, your office equipment may already have these features built in, so all you have to do is make sure they are all “turned on” and functioning properly. If your copier or printer does not provide these safeguards, it’s time to look for a new model. Medical offices in Canton, North Canton, Akron, Youngstown and beyond are welcome to contact us for help with office equipment security features.

Gearing Up for HIPAA Compliance Audits in IT, Part 3: Security Risk Analysis

With HIPAA audits getting underway this year, Covered Entities are starting to ask, “What do I need to do to get ready?” As the president of an authorized Konica Minolta printer and copier company, I am asking that question, too, because the equipment we sell and service may eventually hold PHI (protected health information).

Ideas on how to get started with a HIPAA Risk AssessmentAs a Business Associate of many Covered Entities in Northeast Ohio – including hospitals, physician offices, clinics and more in Canton, North Canton, Akron, Youngstown and beyond – the team at Graphic Enterprises recognizes the importance of performing a HIPAA security risk analysis (in fact, the Security Rule requires it), as it pertains to our customers and equipment.

To get everyone in our organization on the same page, we’ve devised this introductory checklist. Of course, as we get a better grip on this whole process, this checklist will probably change somewhat. However, I hope by sharing it, we can help you get started with your own HIPAA risk analysis.

  1. Start with the basics. Under HIPAA, providers are required to review and update all policies, procedures and protections surrounding PHI. If you do not have a policy, now would be a very good time to draft one and have it scrutinized by legal counsel.
  2. The buck stops here. Designate someone in your organization to lead the risk assessment and, subsequently, the risk management process. This person should have a good understanding of both the technical (I am talking about systems) and the non-technical aspects of health care compliance.
  3. Examine the flow of PHI in the real world. Things always look good on paper, right? But, what path(s) does patient information follow in your office or organization on a day-to-day basis? There are three key areas you should be scrutinizing for threats, vulnerabilities, risks and exposures: administrative procedures, physical safeguards, and technical standards and mechanisms. The U.S. Department of Health and Human Services (HHS) provides recommendations in its document, Guidance on Risk Analysis Requirements Under the HIPAA Security Rule. Just a bit of fun bedtime reading, right? (Hint: you will want to do a deep dive into the sections that talk about addressable controls.)
  4. Create a spreadsheet. I love a good spreadsheet for keeping track of all the details of my business, and there are sure to be many, many details involved in this HIPAA risk analysis. You will need a good way to keep track of them.
  5. Carefully scrutinize business associate contracts. At the end of the day, a Covered Entity is responsible for patients and their PHI. So, you want control over any PHI you may need to give a business associate, as well as legal recourse should the business associate allow a breach. Every business associate contract should contain an indemnification provision. Again, I recommend that you seek legal counsel on this issue.
  6. Document everything. Need I say more? This will be especially important when you complete the assessment and begin the management part.
  7. Keep things fresh. This is not a set-it-and-forget-process. You may have no way of knowing when you will be audited by the OCR. Therefore, you need to make sure you complete a risk analysis and management process at regular intervals, just in case.

Let me know how your HIPAA audit preparation is going. I welcome your comments and input. After all, we are all new at this.

Gearing Up for HIPAA Compliance Audits in IT, Part 2: Business Associates

Business associates are liable under HIPAA Security RuleIf you’re responsible for health IT at a HIPAA-covered entity, you’re probably thinking more seriously about the reality of HIPAA compliance audits, which are getting underway this year. As I discussed in my first post on HIPAA audits a couple weeks ago, the passage of the HITECH Act in 2009 raised the bar on security for protected health information (PHI) and electronic PHI under HIPAA – for both covered entities and what are known as “business associates.”

I’m sure you’re already quite familiar with the term “business associate” and what types of vendors fall into this category (service providers, vendors and third parties that support covered entities). Graphic Enterprises is a dealer of Konica Minolta copiers, printers and document management systems for organizations in Northeast Ohio and Western Pennsylvania; as such, we come under scrutiny because ePHI often passes through our equipment and systems. And we’re just one type of business associate you need to consider. I’m sure you’ve got third-party health plan administrators, CPAs and attorneys, consultants, transcriptionists, pharmacy benefits managers and others in your sights.

So, in the midst of all this headache, what’s the upside for you? It may be a great opportunity for you to get the security upgrades and controls you’ve been requesting for years.

Before HITECH, all the privacy and security requirements between covered entities and business associates were handled via contractual agreements. Historically, the major problem with those agreements was that things were kind of “loosey goosey,” with few standards and criteria to aim for. Now, the responsibilities of a business associate are more defined, as are the liabilities:

  • Security breach notification requirements
  • Cure, terminate or snitch obligations
  • PHI disclosure accounting

We recognize our obligations to provide detailed information about how our products, systems and services meet the requirements of the HIPAA Security Rule. As the one in charge of IT for a covered entity, you have a right and a duty to ask for it. And, in the process, we hope you are given the chance to make your internal health IT systems better than ever!

If you’re part of a HIPAA-covered entity, what kinds of safeguards and security controls are you requiring business associates to document? And, how can a business associate like Graphic Enterprises make audit compliance easier for you?

Gearing Up for HIPAA Compliance Audits in IT, Part 1

Surviving a HIPAA Compliance AuditWhen the Federal Health Insurance Portability and Accountability Act – affectionately known as HIPAA – was passed in 1996, no one was seriously thinking about how things like the Internet, electronic health records (EHRs), cloud computing and smartphones would affect personal health information (PHI). Fast forward 13 years to 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act. Suddenly, there was an intersection between EHR adoption, government incentives and the safety and security of electronic PHI. Thanks to HIPAA, HITECH and other factors too numerous to list here, the delivery of health care services in the United States is changing rapidly and forever.

This year, the U.S. Department of Health & Human Services (HHS), via its Office for Civil Rights (OCR), launches the first HIPAA compliance audits ever conducted. (It only took them 16 years!) The OCR is planning audits of 150 HIPAA-covered entities in 2012, including hospitals, physician and dental offices, labs, nursing homes and pharmacies. Security compliance will be a major part of the audit, and, in today’s world, that rests heavily on IT folks.

I recently read an article that describes information security as the Achilles heel of PHI. Unsecured storage devices, portable devices and the concept of BYOD (bring your own device) make data loss via theft or computer failure a very real issue – and a headache for any health care IT department. Plus, under HITECH, liability for a PHI breach is extended to business associates (i.e. third-party vendors, suppliers, consultants, contractors, etc.). So, if you’re in IT, you have to think about systems security with any business associate you work with.

I know Graphic Enterprises will be considered a business associate by many of our health care customers in Ohio and Pennsylvania who use the copiers, printers and document management systems we provide. In many cases,  our equipment and software play a critical role in both HIPAA and HITECH issues and objectives.

If you’re reading this, chances are good that you’re not among the first 150 entities that are being audited this year. But, you can be sure you’ll eventually be under the microscope.

So, in this series of blog posts about HIPAA compliance audits, I want to help you get ready by discussing some of the IT security issues that face the health care industry and how you can minimize your risk – particularly with business associates and the use of copiers, printers, multi-function printers and document management systems.