Announced this summer, the Office for Civil Rights (OCR) created its own set of guidelines for auditing covered entities pursuant to the HITECH Act audit mandate. As the governing entity of HIPAA law, the OCR determines if an organization is in violation of the any of the HIPAA Rules, including the Security Rule, Privacy Rule and Breach Notification Rule, and administers fines/penalties accordingly. [Read more about it in The HIPAA Police Are On Their Way!].
Which is why it makes sense to be audited against the same set of standards they developed after conducting a pilot audit program of real healthcare organizations across the country from 2011-12.
The protocol matches up key activities and audit procedures that adhere to an established performance criteria, or certain section of each HIPAA Rule. While HIPAA is notoriously more about the processes and procedures of an organization, the following includes only the technical security aspects of the HIPAA Security Rule, and solutions to meet the audit criteria:
Action: Protection from malicious software; log-in monitoring; and password management
Technical Solution: Daily log review can track user activity, transport and store log events, provide log analysis and monthly reporting. This can decrease a company’s risk of security breaches, malware, loss and legal liabilities, since ongoing daily log review lets you see changes to your system daily, instead of after an issue is raised.
Action: Data backup plan and disaster recovery plan
Technical Solution: Offsite backup is the baseline for data protection. Find a solution that provides fully managed, file-level restoration. Check disaster recovery options for the recovery time objective (RTO) and recovery point objective (RPO) to estimate how long it would take to recover from an incident.
Action: Implement access control procedures using selected hardware and software; and select and implement an authentication option
Technical Solution: Two-factor authentication for gaining remote access to networks provides another layer of authorization to verify the true identity of the users. One factor, or form of authentication, is a username and password. The second factor requires communication via your phone, whether by entering a text message passcode or pressing a key to authenticate.
Action: Implement a mechanism to authenticate ePHI
Technical Solution: File integrity monitoring (FIM) is customizable software that can alert you of any changes or destruction of sensitive files, designed to protect ePHI from being altered in an unauthorized manner.
Stay tuned for more technical, administrative and physical security solutions to meet the OCR HIPAA Audit Protocol’s Privacy Rule and Breach Notification Rule. Get informed on the specifics of HIPAA hosting by reading our HIPAA Compliant Hosting white paper.