HIPAA and IT Audits

HIPAA and IT Audits
Section One
1a.
The main aim of HIPAA is to ensure that patients’ information are secure and receive the required privacy. The HIPAA security rule includes details of people who are considered to be covered, the type of information protected, and the measures taken to protect digital information. The goal of the Security Rule is to provide adequate security to patient information while allowing covered entities to provide the best care for the individual. HIPAA Privacy Rule acts as a guideline indicating which information is considered private and how it should be accessed. The Rule applies to all medical persons who may be in possession of patient information or digital healthcare transactions (Gostin and Nas, 2006). The Privacy Rule gives patients a right to make decisions concerning their health and records

1b.
One of the major incidents included disclosure of information without the consent of the patient. Some of the institutions ended up giving protected health information to vendors, law firms or even reporters (HHS, 2019). Most times the institution broke this rule they failed to hide the information that would help identify the patient such as dates, locations, type of injury and even names. Another incident was failing to follow proper procedure when disclosing information such that the information would end up at the wrong destination or with the wrong recipient. Breaches were also another occurrence within the cases reported since they posed a threat to the patient. An instance is failure to lay out the guidelines of privacy so that the patients and their representatives are well aware of what is expected before they proceed with treatment. Another case was laying out patient information within the reach of unauthorized persons. Such was the case where other patients could easily view the HIV reports of other patients.

1c.
For the technical controls, it would be important to introduce mitigation measures to avoid similar occurrences in the future. The HIPAA Security Rules require healthcare providers to introduce practical means that will help to mitigate the harmful effects of security incidents (Rickard, and Sullivan, 2015). These practical means involve training of employees on company procedures and how to use IT equipment, contingency planning and computer support. Technical control of systems could include installation of firewalls, biometrics for authorization, loggings, use of antivirus programs and doing audits. It is important that breaches are acted upon immediately since employees may be aware of the weakness which may lead to HIPAA Privacy and Security Officers learning of it (Rickard and Sullivan, 2015). Breach mitigation includes immediate action when discovered as well as clearly stating security policies to employees. This way, the employees will work hand in hand with the organization to ensure that the laws and standards by HIPAA are met.

1d.
Analyze and describe the network architecture that is needed within an organization, including a medium-sized hospital, in order to be compliant with HIPAA regulations.
Ensuring that the network is HIPAA compliant is important since patients’ electronic protected health information is a requirement (Olson, 2017).

1e.
Covered entities include health plans, healthcare clearinghouses and health care providers. This gives a wide range of organizations that should comply to HIPAA and not hospitals only (Newtek, 2014) . Similarly, hospitals and relevant organizations all work together in a medical environment to achieve the goal of providing better services to the patients. They are all supposed to follow the rules of HIPAA since they come into contact with medical records that may implicate patients or the organizations. However, other organizations focus more on rules that affect their employee information and company secrets. Hospitals on the other hand tend to have the direct link with the patient hence more information about them. Because of this direct link, hospitals need to focus more on HIPAA rules so as to protect these patients. Other organizations re merely third parties.

1f.
The first step would be coming up with an audit protocol that identify with HIPAA rules and regulations (Trinckes, 2012). Next it would be important to do a risk assessment and gap analysis. Professions in healthcare security and compliance would use the HIPAA checklist to note the areas that are in check and those that may cause a breach in the network. The use of firewalls will ensure that compliance is continuous and also the use of flexible interfaces will make audits run more smoothly since reports can be accessed easily. Security management platforms could be introduced to note trends in reports which will make it easier to identify changes or irregularities. Thirdly, after risks have been identified, it would be important to mitigate these risks at a technical or non-technical level. Lastly, every covered business associate could be eligible for an audit where they comply fully.

Section Two

References
Gostin, L., Levit, L., & Nass, S. (2009). Beyond the HIPAA privacy rule. Washington, D.C.: National Academies Press.
HHS. (2019). All Case Examples. Retrieved 12 August 2019, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html
Rickard, & Sullivan. (2015). Easy Guide to HIPAA Risk Assessments. Expert Health Press.
Newtek. (2014). Does Your Business Need To Be HIPAA-Compliant?. Retrieved 12 August 2019, from https://www.forbes.com/sites/thesba/2014/02/06/does-your-business-need-to-be-hipaa-compliant/#a072c7b3d7cc
Olson, D. (2017). Creating a HIPAA-Compliant Network – Summit Information Resources. Retrieved 12 August 2019, from https://www.summitir.com/2017/07/07/creating-hipaa-compliant-network/
Trinckes, J. (2012). The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security. CRC Press.

Published by
Essays
View all posts