2015 was one of the biggest years for HIPAA breaches, and of course, the accompanying six-figure fines that went along with several of them.
So with a new year in front of us, now is the time to shore up any holes in your organization’s HIPAA compliance plan. And since the Office for Civil Rights (OCR) has already warned that Phase 2 audits will begin in early 2016, there’s no time to spare.
Here is a roadmap to HIPAA compliance planning, in six simple steps.
1. Get buy-in from physicians.
Physicians set the tone in a practice, so it’s important that they are all committed to compliance planning. Make sure each physician understands the critical nature of such a program as well as the steps to achieve successful implementation.
When the physicians are on board, it’s more likely that the rest of the staff will be too.
2. Select a compliance and security officer.
Depending on the size of your facility, the role of compliance and security officer may be filled by one or more people. Smaller entities usually combine the role into one, while larger organizations may be best served by splitting the responsibilities between two individuals.
Regardless, officers must possess a thorough understanding of the Privacy and Security Rules as well as have the ability to evaluate possible fissures in the organization’s data infrastructure. It’s recommended that officers complete the ONC’s Cybersecure training games to gain additional insights regarding compliance and contingency planning.
3. Perform an annual risk assessment.
The HIPAA Security Rule requires that all covered entities conduct an annual risk assessment. Similarly, both the Medicare and Medicaid Meaningful Use programs mandate an assessment also.
As we have seen with several of the recent HIPAA breaches, a thorough risk assessment could have pinpointed security shortfalls. A checklist is not a sufficient assessment, and that may be one reason why so many are having trouble.
Entities need to utilize a risk assessment protocol that evaluates each area of the organization and corresponds to the pertinent Code of Federal Regulations (CFRs). The protocol should also take a close look at how the organization uses email and mobile devices. Given the number of breaches related to improper usage of these items, it’s key to review the associated risks.
4. Create or update HIPAA policies and procedures.
Covered entities must also establish written policies and procedures (P&Ps) regarding the handling of personal health information. This is mandatory for both the Privacy and Security Rule and generally covers the following areas:
- Uses and disclosures
These P&Ps should be reviewed and updated periodically to ensure accuracy and completeness. Standardized templates that correspond to each of the required CFRs can be helpful in getting started.
5. Evaluate business associate agreements.
Most healthcare organizations, whether big or small, work with a variety of vendors, suppliers, and contractors. Any of these individuals and/or companies that have access to your patients’ personal health information are labeled ‘business associates.’
All business associates must have adequate HIPAA compliance policies and procedures in place. If your healthcare facility contracts with a business associate, you must obtain proof that such documentation is in place.
The Department of Health and Human Services describes it as follows: “The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”
6. Allow adequate time for staff training.
Remember that this all takes time. It is not an overnight – or even a weeklong – process. It takes months to fully implement a thorough HIPAA compliance plan, and after that, the management of new threats and risks is ongoing.
With that said, be sure you allow adequate time to train staff. This should occur prior to implementation as well as periodic training for the inevitable policy changes that will need to be executed.
Above all, get started NOW. Compliance planning is critical for the health and livelihood of your organization.
What steps are you taking to improve your HIPAA compliance plan in 2016? Please join the conversation below.