10 Steps to HIPAA Compliance for the Small and Medium Medical Practice
Covered Entities and Business Associates of all sizes have a responsibility to safeguard protected health information and document their efforts to maintain compliance. Many believe HIPAA compliance is all about technical or IT issues. The reality is that compliance entails much more.
These requirements may seem stringent and complex, but apart from avoiding a breach of patients’ privacy and steep civil monetary penalties levied by OCR (Office for Civil Rights), they benefit healthcare organization tremendously. By establishing administrative, physical, and technical requirements, covered entities are better positioned to avoid the costs of data recovery or loss business, billing, and accounts receivable information. These types of adverse events could severely impact or even close their business.
Data breaches can happen to even the most secure businesses, organizations, and agencies. By implementing “recognized security practices” at least 12 months prior to any data breach, the OCR considers these efforts mitigating factors in determining the severity and amounts to penalize a healthcare organization.
ESI can help healthcare organizations implement a compliance program along with the technical safeguards that fit their size and budget. Here are our 10 steps to help your organization ensure HIPAA compliance.
Designate a Privacy Compliance Officer & Identify Key People Responsible for Compliance.
The Privacy Officer manages the HIPAA compliance program collaborating with key organization leaders.
Identify all PHI Data – Analyze workflows & find where you have Protected Health Information.
Sounds simple, but you may be surprised… PHI and Personally Identifiable Information should be on your practice management or EMR/EHR system, but it may also reside in other locations such as network drives, fax and email servers, personal workstations, mobile devices, filing cabinets, etc.
Identify your People, their Roles, and what information they need to do their job effectively.
Ensure authorized workforce members, business associates, and vendors only access PHI on a minimum necessary basis and that access is promptly terminated upon exit of a workforce member. Upon termination, access must be revoked not only to the covered entities’ own applications, but also to any industry, health plan, and insurance portals.
Define & Document Standard Operating Procedures, Policies, Security Procedures, etc.
Document workstation and network use policies, Training Materials, Onboarding and Offboarding procedures, Notice of Privacy Practices, Incident Response Procedures, Ongoing Security Awareness Alerts, etc. Ensure the documentation is properly disseminated to employees both existing and new.
Conduct Regular Security Risk Assessments and Audits.
At least annually and as workflows are modified or added, a security risk assessment must be updated to determine the impact and likelihood of potential risks and the efforts to mitigate these risks.
Implement Administrative, Physical, and Technical Safeguards according to the Security Rule.
- Administrative – Document Security & Compliance Management Processes on an ongoing basis, designate personnel, periodically assess security and compliance practices. Conduct regular audits of activity on systems with PHI (and make sure you maintain records of the audits performed).
- Physical – Identify and secure assets, control access to facilities and maintain visitor logs.
- Technical – Implement Security Best Practices in your network and PHI systems.
Follow NIST recommendations for implementing the 10 “recognized security practices.”
Address the 5 major threats facing healthcare organizations as outlined in section CSA 405(d).
Email Protection Systems, Endpoint Protection Systems, Access Management, Data Protection and Loss Prevention, Asset Management, Network Management, Vulnerability Management, Incident Response, Medical Device Security, and Cybersecurity Policies.
Maintain Business Associate Agreements.
Ensure all partners with access to PHI have signed business associate agreements in place.
Understand the Breach Notification Rule and Ensure you follow it.
Breaches may happen, but it is important that organizations respond immediately, that they can prove they have done everything in their power to prevent the breach, and that they followed the rules, determine if a breach is reportable by applying 4 factors, and follow the breach notification rule.
Document your Compliance Efforts.
Be ready for an Audit. Have all your compliance documentation organized and ready for inspection.
Frequently Asked Questions:
What is the purpose of HIPAA?
The purpose of the Health Insurance Portability and Accountability Act is to protect the privacy and ensure the availability and integrity of identifiable patient healthcare information, allowing patient access and portability between healthcare providers to deliver quality comprehensive patient care.
Why should we implement a HIPAA Compliance Program?
All healthcare providers as well as business associates are required by law to maintain a compliance program and guarantee the privacy, accuracy, integrity, and availability of patient health records.
Many health plans and business partners will also require evidence of a solid compliance program before doing business with a provider.
If we implement a HIPAA Compliance Program, are we guaranteed not to have a breach?
Even the most heavily guarded organizations with the largest budgets including many three-letter government agencies can and have been victims of a breach. So many factors are involved in securing facilities and electronic records that it is very difficult to ensure 100% control over everything, especially the human factor. Regular staff training and awareness are critical components to minimize the risk of a breach. Most IT hacks are caused by a lack of user training and awareness or failure to follow policies and procedures. 89% of Healthcare Organizations experienced a breach over the last 2 years; 86% of the mistakes were administrative.
The goal of a healthcare cybersecurity program is to identify and minimize the risks and vulnerabilities as well as the impact to operations and patient care.
HIPAA does not fine organizations for the breach. Organizations are fined for failing to follow best practices or having insufficient documentation of their compliance efforts. The most important factor is that organizations can demonstrate and document their efforts to comply with the HIPAA privacy and security rules.
What happens if we do not have a solid HIPAA Compliance Program?
The Office for Civil Rights has the authority to conduct random audits, breach assessments, and levy hefty Civil Monetary Penalties to Covered Entities and Business Associates if they cannot demonstrate they have implemented “recognized security practices” at least 12 months prior to an incident.
Civil Monetary Penalties vary greatly depending on the organization’s compliance efforts and practices.
What if I have Cyber Breach Liability Insurance?
We highly recommend cyber breach liability insurance, but to qualify and make sure you are covered, you must meet the requirements or coverage will be declined at the time of an incident.
Is it expensive to maintain a HIPAA Compliance Program?
HIPAA Privacy and Security is scalable which means that required efforts and measures vary by the size and complexity of the covered entity or business associate. There is no prescribed amount to spend on compliance and it is difficult to calculate the return on investment for a comprehensive compliance program.
It can be much more expensive not to have a good compliance program and not to be able to demonstrate compliance efforts. 4 out of 7 HIPAA penalties were levied against small practices.
At ESI we can help provide cost-effective solutions to address the “recognized security practices” depending on the size and complexity of your organization. We review each requirement and give you a few options with expected budgets so that you can decide what is an appropriate spend.
We can provide an initial assessment that will help determine the basic remediations that should be in place as well as a plan to continuously improve your security and compliance efforts.
*Nothing in this document constitutes legal advice. Please seek qualified legal counsel familiar with HIPAA Compliance for any legal advice.