HIPAA Security Rule requirements, Part I

It is hard to believe we are in 2021, but I am sure you are like the rest of us and glad to see 2020 in the rear-view mirror.

As we move into this new year, we need to look ahead and learn from what has happened in the past. Last month we informed you about many HIPAA violations that the Office for Civil Rights (OCR) had investigated. Most of these violations could have been prevented. In fact, I was talking with a colleague that owns an audit log monitoring system and he informed me that during the pandemic they saw a 90% increase in snooping into patient records of the same last name. Fortunately for his clients, this was immediately stopped, and the employee(s) were sanctioned. This made me want to remind you of a few requirements under HIPAA.

 

  • 164.308(a)(1)(ii)(c) Sanction Policy – is a “required” standard under the HIPAA Security Rule. Employers are required by law to apply sanctions against employees who violate HIPAA, otherwise the employer could be fined.

 

  • 164.308(a)(1)(ii)(d) Information System Activity Review – is another required standard. Which requires procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. A security incident can be best described as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

 

  • 164.312(b) Audit Controls – is yet another required standard that states you must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). This standard goes hand in hand with Information System Activity Review.

 

What does this mean to you?

First, you must understand what is considered “normal” usage within your software/hardware that contains ePHI. Then you must monitor your systems for abnormal behavior. This is a HUGE time-consuming task and unless you are monitoring every employee, 24/7 you may miss something. We highly recommend utilizing a third party to do this for you. The company we work with has interfaces with over 60 EHRs and is fully automated. If they do not have an interface, they will create one, or show you how to upload the logs in a matter of minutes instead of hours. No more looking over lengthy audit log reports. You simply receive an alert when there is abnormal activity. Best of all, this protects your patient data and your practice from fines and penalties. If you would like to learn more about this service, use the contact us page.

 

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

OCR Issues Audit Report on Health Care Compliance

December 18, 2020

HIPAA Security Rule requirements, Part 2 – Security Awareness and Security Incident Procedures

February 15, 2021
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC