OCR typically announces what its enforcement focus will be in advance, but “it is constantly changing year to year, so by the time something shows up on your risk assessment, it’s a little late if it’s an issue,” said Chris George, a senior managing director in the health solutions practice at FTI Consulting.
George, who is familiar with how HIPAA inspections are conducted, said it is important to establish a compliance committee that meets regularly to oversee the process of implementing changes after a risk assessment. OCR routinely monitors this activity, he said. “They look for policies and procedures, but also what you are doing from week to week,” he said. “They want to see you putting time, energy, and effort into solving some of these problems.”
Working regularly to amend bad habits and areas that introduce risk is what Wilkes refers to as having good “security hygiene.” Many changes can be simple to implement, such as having staff change their passwords every 6 months, use screen savers, or set up computers so they log users out after a certain period of time automatically. Staff need to know that online surfing habits on workplace computers can put a practice at significant risk for data breach.
Wilkes also recommends consulting websites such as the Health IT Playbook, which provides tip sheets that can be downloaded and displayed in the office as reminders for staff. They include “Top 10 Tips for Cybersecurity in Health Care” and “Steps to Protect and Secure Information When Using a Mobile Device.” The use of these forms can be documented as part of a practice’s security awareness and training.
“Beyond having policies in place, these are the things that OCR wants to see in a practice if they do an audit,” Wilkes said. “There should be breadcrumb evidence of good security hygiene awareness and behaviors in place.” The risk analysis is just one piece. Then, using the results of the risk analysis to tell your staff about the risk identified and what safeguards will help reduce that risk is what the goal should be for protection of the practice and its patients’ information.
One piece at a time
When practices decide on a set of problems to address, they should not try to do everything at once, as this will be too burdensome, George said. “You need to come up with a priority plan for each of the areas,” he said. “Some practices will already have improvement processes in place and the risk assessment is just part of that.”
The most critical issues should be addressed first if possible, but this may not always be feasible. During busy times, it may be wiser to fix security issues that have a lower priority and less impact. A savvy practice manager, he said, should be able to help determine the best times to fix certain problems.
“At the end of the day it’s all about seeing patients, and you have to make sure the changes don’t impact your practice negatively from a clinical care perspective,” George said.
This article originally appeared on Renal and Urology News