Being HIPAA Compliant in 2015Greg Garner
Start off 2015 by ensuring your HIPAA compliance requirements are in order. The Health Insurance Portability and Accountability Act (“HIPAA”) has a number of compliance measures that must be followed through the development of informational security and operational documentation by covered entities and business associates that create, receive, maintain, or transmit protected health information (‘PHI’) from unauthorized access, use or disclosure. Understanding those requirements is essential in maintaining the standards outlined by law.
Mobile devices continue to increase the risk of PHI, coupled with the growing security hacks and privacy breaches that plague the industry. It is important to reassess your current HIPAA compliance policies each year to ensure total compliance. These are top areas of concern that should be reviewed and considered within your operations:
- Business Associate Agreements
Although your organization may have total HIPAA compliance, your business associates must also follow the guidelines for compliance. Your administrative office should have a running list of business associate agreements and their expiration dates, which should be reviewed and updated on a regular basis. There were specific deadlines in place that have now passed for that applied to the review and renewal of business associate agreements, so if you have not done an inventory of your business associate agreements, now is the time.
- Retraining of Employees
Your employees must be trained and retrained on your policies, especially if there are extensive changes implemented within your organization. Every employee, privacy and security officer with access to PHI must be trained and retrained on a consistent basis to ensure your company remains compliant with HIPAA standards. This should be an ongoing effort that includes your entire organization to keep them abreast of the policies and procedures. Organizational leaders must set a standard for employees on HIPAA compliance, and must demonstrate its importance from the top. This can work to counteract breaches and reinforce action plans that should be activated in the case of a security threat. New employees initially receive HIPAA training, but the entire staff as a whole must undergo HIPAA training on a yearly basis to foster a culture of compliance.
- Mobile Device Security
Every organization should have a security plan in place to counteract any security risks that may occur from the use of a mobile device. Because these devices are widely used, your organization must address issues relating to lost or stolen devices that contain confidential, proprietary or sensitive information; issues relating to former employees that had access to PHI; and devices that access the internal server that contain proprietary, confidential or sensitive information. There may be a general policy in place, but extensive policies and procedures that extend beyond the normal breach policy must be developed to include specifics on handling these devices in the event of a breach.
- Ensuring Operating Procedures are Compliant
Every organization has their own set of operating procedures. As a HIPAA compliant organization, special attention must be dedicated to formulating a risk management plan that will address any potential risks that could occur, and how the company will handle those risks in the event of a breach. Taking the time to develop a structure and implementing those outlined measures will reduce risk. This includes implementing security measures that must be evaluated and maintained. Everyone on the security team must understand how to conduct a risk analysis and why it is important. According to the Department of Health and Human Services, steps included to conduct a thorough risk analysis include:
- Identifying the scope of the analysis
- Gathering the data
- Identifying and documenting potential threats and vulnerabilities
- Assessing current security measures
- Determining the likelihood of threat occurrence
- Determining the potential impact of threat occurrence
- Determining the level of risk
- Identifying security measures, and finalizing documentation
- Understanding Breach Reporting
There should be guidelines in place to address any breaches, with specific instructions on breach reporting protocol. All HIPAA covered entities and their business associates must provide notification that extends beyond the internal operations of the organization. All covered entities and their business associates must provide notification to any affected individuals, the Secretary of Health and Human Services, and depending on the type of information involved, to the media. This should be fully covered under the company’s risk management plan, but must be reinforced from an administrative standpoint within the organization. Taking the time to construct a policies and procedures guideline for breach incidents, and conducting a risk analysis based on the company’s risk management plan should be a priority. A risk analysis should take place and be reviewed on a regular basis to remain in compliance and be prepared for any situation that may arise. Failure to operate under the HIPAA guidelines may result in severe penalties for your organization.
Using these suggestions as a guideline will help your organization keep HIPAA compliance as a priority while implementing procedures that will work cohesively across the company to maintain high levels of security. Starting the year off with a renewed vision for your operating procedures and risk management systems will benefit your employees and organization as you move forward. Implementing solutions and procedures based on your organization’s needs and their current state of compliance is key.