PART 3 – HIPAA Benchmark Survey Insights: Risk Management, Auditing, and Ongoing Compliance
This blog is the third and final installment of our Health Insurance Portability and Accountability Act (HIPAA) Benchmark Survey series, where we explore key findings and practical takeaways from the 5th Annual HIPAA Benchmark Survey webinar. In Part 2, we examined vendor management, Business Associate relationships, and emerging risks related to data sharing and artificial intelligence (AI). In Part 3, we turn to risk management, auditing, ongoing compliance, and breach response.
Risk analysis and ongoing monitoring are at the heart of a strong HIPAA program. In the 5th Annual HIPAA Benchmark Survey webinar, many attendees asked how to move from theory to practice, particularly when it comes to auditing, managing risk across hybrid and remote environments, responding to breaches, and minimizing accidental disclosures of protected health information (PHI). Below are some of the key questions we addressed.
Security Risk Mitigation
Q: What is the best way to support Risk Mitigation?
A: HIPAA Security Rule guidance emphasizes that conducting a thorough risk analysis and risk management program is the most effective way to find and mitigate privacy risks. This includes identifying potential risks, assessing threats and vulnerabilities, and implementing reasonable safeguards. Organizations should train staff to recognize sensitive information, follow proper procedures, and flag potential issues. Organizations should also have strong policies, clear workflows, and governance programs to help guide consistent behavior, along with technology tools such as access controls, encryption, and monitoring systems.
Auditing and Monitoring Privacy Program Compliance
Q: Can you provide information about OCR’s audit protocol and other mechanisms to monitor workforce compliance, including remote employees?
A: The Health and Human Services (HHS) Office for Civil Rights (OCR) official audit guidance, available through OCR’s HIPAA Audit Program page, includes the HIPAA Audit Protocol, which outlines what regulators review when evaluating compliance with the Privacy Rule, Security Rule, and Breach Notification Rule. It also details the types of documentation and evidence organizations are expected to maintain.
If an entity has a physical structure, it is a best practice for the Privacy Official to walk the halls. This gives the organization an opportunity to monitor privacy practices at the operational level and speak with the workforce. During a walkthrough, several questions may be assessed: do staff understand key aspects of the privacy rule such as not speaking about patients in front of those who do not have a need to know? Do they know that they can only access medical records for specific job-related purposes? Are computers that are visible to those who may not have a need to know set to time out when they are not being used? This helps to assess any possible gaps in the privacy program.
If an organization is remote, the Privacy Official should find ways to connect with the remote workforce, such as periodic virtual meetings to review privacy protocols. Organizations should work with IT to ensure that PHI is appropriately safeguarded if transmitted outside of the organization. Organizations should also conduct an audit to assess whether medical records are being inappropriately accessed.
Breaches
Q: What is the risk level if a document containing PHI is inadvertently given to the incorrect patient but is returned quickly?
A: Determining the risk level of any breach is highly fact-specific. Under HIPAA, whether an incident qualifies as a reportable breach depends on a risk assessment consisting of a four-pronged analysis: 1) the nature and extent of the PHI, 2) who accessed the PHI, 3) whether the PHI was actually acquired or viewed, and 4) the extent to which the risk to the PHI has been mitigated.
If the risk assessment determines that the likelihood of actual harm is low, the incident may be considered a low-risk breach, and formal reporting might not be required. However, organizations are expected to document the assessment and rationale since OCR may seek to review it during audits or investigations. Essentially, quick recovery helps reduce risk, but the organization must still evaluate the situation using the HIPAA Breach Notification Rule factors before deciding not to report.
Takeaway
Building and sustaining an effective HIPAA privacy program requires more than policies on paper. It demands continuous risk assessment, proactive monitoring, and a well-defined approach to breach response. By strengthening auditing practices, addressing the realities of hybrid work environments, and prioritizing safeguards against inadvertent PHI disclosures, organizations can reduce risk, improve compliance, and respond confidently when incidents occur. For more information on this topic or questions about the HIPAA Benchmark Survey, please contact [email protected] and [email protected].
