HIPAA/HITECH Compliance Audits Are Here – Do you know where your e-mail has been?
HIPAA Audits Begin
Although the importance of maintaining an “audit-proof” posture when it comes to compliance in general is nothing new at larger healthcare organizations and public companies, it is clear that many small- to mid-sized covered entities have adopted a less conservative approach to HIPAA compliance. Within the latter, compliance is often unofficially seen as a matter of formal documentation and the implementation of superficially-obvious measures (e.g., the use of privacy screens on monitors located at the check-out desk or encryption keys on wireless networks), while the importance of compliance-in-depth and the evaluation of risks related to the implementation of new (or existing) processes and technologies takes a back seat to the understandable desire of providers to leverage the benefits of modern technologies such as hosted e-mail services (gMail, Yahoo, Hotmail, etc.), online collaboration solutions (such as Google Apps), online fax solutions, and mobile devices. As of this week, the Department of Health and Human Service’s Office of Civil Rights has begun a one-year pilot program of random audits targeting covered entities and, eventually, business associates large and small.
HIPAA E-Mail Security
The on-going demand on the part of internet-savvy patients and providers for e-mail communications for everything from appointment confirmations to online consultations and the delivery of test results makes e-mail compliance once of the areas where most practices most urgently need to review and address the risk of security rule non-compliance. Choosing a hosted e-mail solution doesn’t relieve covered entities and business associates of the need to address the details of compliance, however; it is the implementation, not the full responsibility for compliance, that is effectively delegated when a hosted solution is used within the organization. As such, it is important that covered entities confirm that IT solutions (whether e-mail services or EMR’s) support compliance with relevant required and addressable safeguards (both admnistrative and physical) as outlined in the Federal Register. A few matters to consider when reviewing hosted solutions include whether they:
- Protect the integrity of data
- Preserve the privacy of hosted data
- Execute a Business Associate Agreement
- Meet (and preferably exceed) HIPAA Security Standards
- Provide Secure backup of data
- Provide for Secure disposal of data
- Administrative access for managing user accounts and passwords
- Options for convenient two-factor authentication
- Track and support auditing of user logins and file access
- Provide role or function based access control
- Trigger Logoff after predefined inactivity period
- Encrypt/Protect data in transit
- Provide options for access to data in event of emergency
- Implement mechanisms for the reduction of down-time
In a future post, we will outline the physical and administrative safeguards defined in the Federal Register and describe how PHI·Gard Hosted E-Mail addresses each of these toward making the implementation of HIPAA-Compliant E-Mail easy for covered entities and business associates of any size.