Your data may be completely secure; your organization may be fully shielded from security attacks, but with OCR audits coming your way, it’s not enough to be just secure and compliant. You need to prove your compliance with HIPAA Privacy, Security, and Breach Notification rules to the OCR audit team. So while you’re preparing for the upcoming OCR audit, here’s a look at the 10 tips offered by Mahmood Sher-Jan, Vice President of product management at ID Experts, and Chris Apgar, president and CEO at Apgar and Associate, to prepare yourself for the OCR audit. Also see how eGestalt’s SecureGRC can make it easy for you to follow these tips:
1. Know your compliance status. It is crucial that you have a complete understanding of the status of compliance in your entity and the gaps that exist in your security set-up. For this you need to evaluate yourself as well as your business associates through self-audits to identify inadequacies if any, and fix them in a timely manner.
SecureGRC is a fully automated and integrated tool which ensures that security and compliance requirements are met at all times. It comes with the capability for self-audits, and helps you keep track of your compliance status at any point in time
2. Manage your documents centrally. While you need to keep track of your compliance status, you also need to maintain documents supporting your compliance with HIPAA rules. This is an integral part of being compliant, and provides protection against significant legal risk. Hence, if and when the need arises you should be ready to produce documents on policies, procedures, risk analyses reports, training records and other related compliance activities.
SecureGRC is designed to create and maintain a central online document repository wherein all documented proof of compliance and security are securely uploaded. Even the compliance documents from business partners and subcontractors are uploaded into this repository, thus making it easy for you to furnish all documents requested during the audit.
3. Come up with a compliance plan. Prioritizing high to low risk compliance gaps is an essential part of preparing yourself for the audit. This enables you to determine the right plan of action and helps you align your resources accordingly.
The risk configuration module in SecureGRC helps you quickly configure the risk algorithms for regulations and risk threshold calculations.
4. Develop and implement HIPAA policies and procedures. Protecting confidentiality, integrity, and availability of health information are some of the basic requirements of HIPAA. And you should have policies and procedures to facilitate these. Compliance rules are subject to change. So you should adopt a system that is extensible to include new regulations as and when they are introduced.
SecureGRC is the ONLY product with built-in best practices, policy and procedure templates. So by adopting this solution you will have ready-to-use frameworks for every action required to ensure and maintain compliance. SecureGRC has a set of built-in policy frameworks and procedures for HIPAA, PCI, SOX etc. which are ready to use, and easily customizable that address the requirements of confidentiality, integrity and availability. So you do not have to create and implement policies and procedures from scratch. Also it comes with the capability to automatically upgrade itself to include new rules and regulations as and when they are introduced.
5. Build an IRP. An Incident Response Plan (IRP) is critical for protecting Patient Health Information because it provides the strategy for how an entity will react in case of a compromise/breach. It is important for you to demonstrate that you have an incident response team, plan, and procedures to ensure timely and consistent response in case of any unforeseen breach incidents.
The Report of Compliance and Risk reports point to the need for managing vulnerabilities even before meeting with a security incident. SecureGRC features easy to adopt and ready to use compliance frameworks, as well as context-based inference engines. It comes with a built-in best practices library which explains how to resolve issues if any. These best practices are in line with compliance requirements and can therefore serve as a valuable foundation on which you can build your IRP.
6. Train your staff. ‘People risk’ is the biggest risk in every organization because employee negligence is often the main cause of information breach. So training your employees is critical to achieving complete security and compliance. All employees should be made aware of the security protocols to be followed while dealing with PHI.
SecureGRC has been designed to cover vulnerabilities in the human aspect of security. Access control is purely role-based. It has automated controls that provide reminders to your staff for addressing compliance related tasks in an optimal manner, manage exceptions, and allows you to compare user access, check for appropriateness in access rights, and tag discrepancies if any.
7. Analyze and manage risks. To ensure that your security policies and procedures are in place, and to make sure your compliance requirements are met in an on-going basis, it is important that you identify high-risk areas and analyze them, in order to devise measures to manage evolving risks in the long run.
SecureGRC provides end-to-end automation for all your risk management needs supported by inline policies, best practices, citation guidance, risk management, and implementation briefs. It simplifies risk management by identifying high-risk areas and proactively recommends strategies to mitigate risks at the right time.
8. Document all security and compliance activities. Demonstrating compliance is not a one-time event. It is an on-going process. While it may not be possible to completely prevent unauthorized exposure of data, you should be able to demonstrate that you have been committed to protecting PHI and ensuring compliance. And for this, you need to maintain an up-to-date account of all security and compliance activities.
SecureGRC comes with the capability for periodic audits to continuously monitor security and compliance and generation of risk reports and reports on compliance, to effectively identify vulnerabilities and initiate appropriate remediation measures.
9. Conduct self-audits at periodic intervals. This activity can help you fill gaps in your privacy and security set up. A proactive audit of your entity as well as your associates’ can be instrumental in identifying problem areas and mitigating risks.
SecureGRC offers this capability. One of the most salient features of this solution is its ability to conduct self-assessments/audits at regular intervals to determine the status of compliance in your organization. In the ever-changing regulatory landscape, this feature can be very helpful in ensuring ongoing compliance and security.
10. Get expert assistance. By doing this you can get an outside perspective of your compliance status much before the OCR audit. Also, an outside vendor can offer valuable expertise, augment your resources, and help you prepare for the audit better.
SecureGRC has been designed by eGestalt’s team of qualified experts who have vast experience in the area, and are well-aware of the challenges you face with respect to information security and compliance. With built-in security best practices, implementation brief, citation guidance, policies, and risk parameters, SecureGRC provides an inside audit of the state of security and compliance. So with SecureGRC to back your compliance initiatives, you can gain an upper hand on governance and compliance, and face any audit with complete confidence.