HIPAA compliance is something that all covered entities and their business associates need to work toward and closely monitor. No organization wants to miss a key security issue that eventually leads to a data breach.
By: Elizabeth Snell, HealthITSecurity.
Successfully preparing for HIPAA risk assessments and potential OCR audits can be done by anyone, according to Parkway General Surgeons Office Manager Kelly Goode. Anyone can do it if they put in the time, effort, and have the right tools in place, Goode explained in an interview with HealthITSecurity.com.
Parkway only has 15 employees, she added, and the majority of those workers did not have outside training. However, the organization began to work with Stericycle to help in HIPAA compliance.
Kara Chitwood, surgical care coordinator and IT security officer, also discussed Parkway’s preparation process. The duo broke down how the organization works to ensure that all employees understand the importance of HIPAA compliance.
ELIZABETH SNELL: What went into preparing the office for potential HIPAA audits?
Kelly Goode: In order for us to be compliant with the HITECH Act, we needed a program to quickly make our office successful. I looked at various vendors and was impressed with the Stericycle program and what they had to offer. They had the HIPAA compliance solution and they were very friendly.
Basically, what I enjoyed about it is that it laid out a solid foundation. Alongside with what they were able to give us, Kara and I were able to go through every policy and procedure template that they provided and adapt them to our workflow for our office. And it was a very tedious process. It probably took us six months and it was hours and hours over our regular job hours to be able to feel comfortable in case we were to be audited.
Although Stericyle is a wealth of resources, we put in place other administrative safeguards to make sure we stayed in compliance. We hired an SRA consultant to look at the way our office conducts audits, to regularly review records of our information system activity and to also access our reports and security tracking reports.
It was very important for us to identify unauthorized access log attempts in our patient charts, [monitor] our firewalls, wireless connection, our work stations, our remote access, how we log into our windows and applications and other systems. We just wanted to make sure that this process was done correctly. And we do that quarterly. Before, we used to do that every month, which was really a lot of work for us. Once we were able to streamline and make sure that we weren’t having breaches or any trouble, we were able to move it to quarterly.
Kara Chitwood: I work with Highnet, our networking company that controls all of our internet access and our computers. I had to go through them to make sure that our firewalls were set up and that our anti-virus was up to date and make sure they kept our computers in compliance. I’m in constant communication with them to make sure if there is a breach into our firewalls, I’m notified through Highnet about the breach and then we can research it from there.
Highnet can also tell me if somebody has logged into our system where they should not have had access to log in, so we can also track it through them.
HITS.com: Is this preparation similar to conducting HIPAA risk assessments? What is that process like for you guys?
KC: As far as the risk assessments go, I look into both our practice management system and into our EHR system. Both of those systems have a way for me to conduct audits. So I can go in there and make sure that our employees have accessed patient charts for legitimate reasons. We can also make sure that any chart that was accessed, that we can prove that there was a legitimate reason for that employee to be in that chart.
Also with our practice management system, I can make sure that our employees are logging on and logging off properly and at appropriate times for their workday.
HITS.com: How important is employee training in this process?
KC: We believe that employee training is key to making sure the practice is always in compliance. With the employees having an understanding of how important administrative safeguards are, they’re more likely to keep themselves updated. That way if there is an audit, we want our employees to be able to answer questions quickly, confidently, and with the most accuracy.
We try to ensure this by educating our employees, make them familiar with our manuals, and teach them how the manuals work so they can find what they’re looking for easily. We also have them read every policy and procedure, and once that’s done, we keep track of that by maintaining a sign off sheet. Manuals are stored in a place where they are open and available for employees to look through and keep themselves familiar with at all times.
HITS.com: What advice do you have for organizations that are either conducting risk assessments or preparing for potential HIPAA audits?
KC: I’d recommend first and foremost to get a labeler. We use a labeler all the time. Our manuals are very divided up. We have a ton of manuals, so we really have to be able to keep track of those and find what we’re looking for very quickly.
Another key thing is to be organized. I believe that Stericycle helped us with that because their format and their layout of how they did it helped us stay organized with it.
And, just to be safe, we make a policy for everything. Even if we feel it’s mundane or we don’t need a policy on it, we write a policy stating that we don’t have a policy just to make sure that we’re always protected.
KG: If I had three recommendations for an office, I would first tell them find a vendor like Stericyle that has a compliance program in place and is very friendly and adaptable to your office needs. Again, they laid out a foundation that was really easy for us to go through with both the security and office policies and procedures and HIPAA. Having that key essential tool has streamlined our process. If we had to manually do that and research that, we still would be nowhere near compliance. It was a great program to get going.
Two, I would highly recommend getting an SRA consultant and evaluate your system activity. [Ours] was so beneficial. He was able to come in and look at how we do our updates, how we network with other offices, all our security risks, and we have a lot of systems…he was just a wealth of knowledge. He’s a comfort. Basically, his quote to us was, “It’s like an insurance that you hope you never have to use, but it pays to be prepared.” And it’s true.
Three, I would say continue to educate your staff. We’re conducting assessments for all risk and vulnerabilities to our practice. Be prepared with auditing. We have also trained our staff for if you have an auditor come to your window, what do you do? We’ve had to role play and play out scenarios, but I honestly believe we are there. If we had an audit, I feel we would do very well.