HIPAA Alert: Still Issues Across the U.S. in 2018

While great strides are being made every day in protecting patient information, the U.S. Department of Health and Human Services (DHHS) says it has been struggling with nine top compliance issues across the country in 2018. Here are those issues and the steps Methodist takes every day to ensure our compliance:

1. Business associate agreements
   For every new goods or services purchase, the HIPAA Privacy and Security Officer addresses the need for a business associate agreement (BAA), performs risk analysis and checks security certifications. All renewal contracts are checked for privacy and security issues and need for BAA.
    
2. Risk analysis
   On an annual basis, the IT Security department performs more than 70 different risk assessments on applications and systems. Additionally, when new medical equipment or applications are acquired by Methodist, a security risk assessment is also completed. The risk management process ensures that Methodist is compliant with HIPAA compliance.
    
3. Failure to manage identified risk (e.g., encrypt)
   In addition to identifying and reporting the risks, Methodist and the Information Security and Risk Committee review all risks to ensure compliance with HIPAA.  The risks are either mitigated, accepted, or transferred based on the business operations and security posture of Methodist. For most risks associated with HIPAA Security, a policy or standard is in place such as the IT Information Security Encryption Standard policy.
    
4. Lack of transmission security
   The IT Security department has developed standards and configuration requirements for transmitting patient health information (PHI) data to other entities.  Whether it is through the Proof Point e-mail application or a connection to Cerner, data connections are required to follow the approved policies.
    
5. Lack of appropriate auditing
   On a daily basis, there are a number of tools and technologies that have been deployed that provide audit results of activities related to PHI Data. One of the main systems, FairWarning, has been designed to look at the Methodist governance policies. All employee activity involving PHI data will be monitored.
    
6. No patching of software
   The IT Department has developed a patching compliance cycle that ensures the systems and applications are patched on a recurring basis. Many of the patch deployments are transparent while others require user intervention. It is extremely important that systems be appropriately patched to ensure compliance.
    
7. Insider threat
   Methodist has policies and processes in place to address and define insider threat activities. Along with auditing and logging, the IT Security group is deploying software to identify user access of data and files.
    
8. Improper disposal

   At each location, Methodist has provided shred bins for proper paper and printed record disposal. In addition, the IT Department will erase drives and physically destroy them if they contained PHI. 

9. Insufficient data backup and contingency planning
   The IT Department is continuously reviewing the data backups and contingency planning to ensure business operations, patient care and employee safety are not impacted. A number of policies and procedures have been adopted and approved by IT to comply with this aspect of HIPAA security. 

If you have any questions about how Methodist handles HIPAA security, please contact HIPAA Privacy Officer Zorana Vojnovic at (402) 354-6863 or @email.