HIPAA Audit Takeaways
HIPAA audit takeaways are feedback from previous HIPAA compliance assessments conducted by the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR) and reveal the most common areas in which covered entities failed to comply with the Health Insurance Portability and Accountability Act (HIPAA).
The most recent series of HIPAA compliance assessments took place in 2011 – since then, the Final Omnibus Rule of March 2013 was enacted to enhance the security of electronic protected health information (ePHI) and prevent confidential patient data from being compromised.
In February 2014, the OCR announced it was to survey a far wider cross-section of healthcare organizations than in the previous series of assessments, in order to “examine different mechanisms for compliance with HIPAA, identify best practices, and discover new risks and vulnerabilities”.
Once the OCR has completed its survey, a new round of HIPAA audits will commence; and therefore it is important for healthcare organizations and other covered entities to be aware of the takeaways from previous HIPAA audits in order to assess their own security and compliance with HIPAA.
Takeaways from Previous HIPAA Audits
The HIPAA audit takeaways from 2011 are based on the pilot audit protocol developed by OCR for measuring the efforts of all covered entities to safeguard the integrity of ePHI (healthcare clearing houses as well as healthcare organizations were included in the compliance assessment).
OCR found that most of the assessed entities did not conform to HIPAA standards for security, privacy or breach notification – the three primary audit areas. OCR also discovered that two-thirds of covered entities failed to perform a comprehensive risk assessment and that the most common cause of non-compliance was that the entity was “unaware of the requirement”.
Of significant importance, covered entities were most “unaware” of the security requirements relating to risk analysis, the communication of ePHI, administrative controls and monitoring. OCR also found that smaller healthcare providers – such as community practices with revenues of less than $50 million per year – were generally non-compliant in all three primary audit areas.
Security, Privacy and Breach Notification
Due to the fines that can be imposed on covered entities for not complying with HIPAA, it is essential that healthcare organizations make themselves aware of the takeaways from previous HIPAA audits – particularly in the three key areas of security, privacy and breach notification.
- Privacy – This area covers the access individuals have to ePHI, how they use it and the mechanisms that should be put in place to prevent ePHI being compromised.
- Security – Specific administrative, physical and technical safeguards were introduced by the Final Omnibus Rule in March 2013 to protect the integrity of ePHI.
- Breach Notification – The Breach Notification Rule classifies what constitutes a breach of ePHI, how a breach should be reported and within what timeframe.
The areas of risk analysis, the communication of ePHI, administrative controls and monitoring are equally as important, and healthcare organizations can learn from the HIPAA audit takeaways for these areas by implementing a system of secure messaging which not only is HIPAA compliant, but which can also streamline workflows, increase efficiency and enhance patient healthcare in a cost-effective manner.
How Secure Messaging Complies with the HIPAA Regulations
The HIPAA regulations that were enacted by the Final Omnibus Rule were a direct response to the increased use of mobile devices in the workplace. Studies have revealed that more than 80% of physicians use a personal mobile device to access or communicate ePHI, and there is a serious risk of confidential patient data being compromised if a mobile device containing ePHI is lost or stolen.
Other scenarios exist where the use of mobile devices in the workplace present a risk to the security of ePHI and a secure messaging solution overcomes these risks by allowing authorized healthcare professionals access to confidential patient data through a private network on which ePHI is encrypted and communications are tightly encapsulated.
With secure messaging, it is impossible to save ePHI to the mobile device´s memory, copy and paste it to an external device or forward it to a third party outside of the network. Administrative controls monitor activity on the network to ensure tracking of all communication in case of a breach or risk assessment.
Secure messaging solutions also fulfill the requirements of the HIPAA administrative, physical and technical safeguards, and act as a mechanism to prevent ePHI being compromised – either deliberately or by accident. With a secure messaging solution, healthcare organizations can address practically all the issues within the HIPAA audit takeaways and not have to worry about future HIPAA audits.
The Benefits of TigerText´s Secure Messaging Solution
In addition to protecting the integrity of ePHI and addressing the issues in the takeaways from previous HIPAA audits, case studiesshow that TigerText´s secure messaging solution streamlines workflows, increases efficiency and enhances patient healthcare in a cost-effective manner.
The TigerText solution can be downloaded to any desktop computer or mobile device and has a text-like interface which is simple to understand and easy to use. Authorized personnel simply authenticate their identity with a unique username and PIN number and the solution is ready to use.
With instant delivery notification and read receipts, healthcare professionals are able to avoid playing phone tag and using their valuable resources to see if a message has been received. This function alone saves a considerable number of hours each work day, and allows physicians to spend more time with patients.
TigerText´s secure messaging solution helps accelerate various healthcare workflows: accelerate admissions, emergency room hand-offs, the delivery of lab results or x-rays, and the diagnosis of a patient´s condition.
Prescriptions can be confirmed with secure messaging, home healthcare professionals can escalate patient concerns with secure messaging and emergency professionals can access potentially life-saving patient medical data with secure messaging – without risking a breach of ePHI.
Find out More about the HIPAA Audit Takeaways by Speaking with TigerText
You can make sure you are aware of the takeaways from previous HIPAA audits by downloading our free white paper – “Top 5 Takeaways from HIPAA Omnibus Audits” – or by contacting us to discuss addressing the HIPAA audit takeaways with a secure messaging solution.
TigerText is the market leader in HIPAA compliant secure messaging solutions, and more than 4,000 medical facilities use TigerText to comply with the HIPAA regulations for privacy and security.
We offer healthcare organizations the opportunity to see TigerText in action before committing to our secure messaging solution; so, if you would like to request a demonstration of how TigerText can streamline workflows, increase efficiency and enhance patient healthcare in a cost-effective manner – while safeguarding the integrity of ePHI – please do not hesitate to contact us.