Three priorities will take you a long way toward improving your HIPAA compliance. Taking cues from security experts and the Office for Civil Rights (OCR) enforcement over the past year, our three suggestions are: 1. Complete (or refresh last year’s) Risk Analysis, 2. Review your breach notification policies and 3. Ramp up workforce training.
Risk Analysis-Risk Management
OCR requires that Risk Analysis should be continuous and ongoing, and updated as needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii)). The Risk Analysis uncovers issues that need to be addressed, leading to a Risk Management plan that can be implemented as time and resources permit. You don’t need to get an “A”, you just need to do it for an honest assessment and a plan to improve.
The two key elements to a successful Risk Analysis are:
- It is more than a “Security Risk Assessment”. This is a common misunderstanding, causing people to focus only on electronic records. Yes, the EHR system should have security safeguards to help maintain HIPAA compliance, but the overall Risk Analysis-Risk Management Plan includes an inventory of non-electronic information, a physical site assessment, workforce training, and business associate review (for covered entities).
- The Risk Analysis needs to be site specific. For organizations with more than one site, this means that each location should be evaluated on its own because the physical layout, workforce members and risks are different.
The HIPAA E-Tool® has step by step guidance to help you do your own Risk Analysis without expensive outside help. Once you complete your first one, you Archive it with one click and it’s ready for review next year[1] SEE NOTE BELOW. Each year after the first one is easier, and our customer service guarantees you won’t get stuck – we help you when you need it!
Breach Notification
The key here is to do everything possible to prevent breaches from happening. According to the 2018 Verizon Data Breach Report, more than half of all data breaches in the healthcare industry are caused by insiders (more than other industries). Motives are most often financial gain, followed by curiosity. How are these prevented? Through training, and sanctions against workforce members who don’t comply.
Outside threats still account for huge numbers of breaches and are expected to increase in 2019. Experts predict there will be more sophisticated and believable “spear phishing” attacks on all devices, including phones and tablets. They will involve more complex technology and will include some sponsored by foreign states. The best prevention involves awareness and training.
Breach Notification policies and procedures in The HIPAA E-Tool® guide you through what to do when a potential breach occurs – how to report it internally, and to whom. Compliance staff and management need to know how to analyze whether a ‘potential breach’ is a ‘breach’ which must be reported to OCR and if so, what other steps need to be taken. Some states have more stringent requirements regarding Breach Notification and The HIPAA E-Tool® has a table of state laws for quick reference. Take the guesswork out of handling a Breach with our Breach Risk Assessment tool.
Workforce Training
Not only is training required by HIPAA, but an educated workforce is the first and best defense against noncompliance and outside security threats. Do not forget to provide training to the C-Suite. Top executives and Boards of Directors are being held accountable for HIPAA compliance by OCR, not just compliance staff.
Management and the wider workforce need to understand basic HIPAA concepts to foster a culture of compliance. This includes how to interact with patients, family members and the press, but also security awareness to avoid cyber-attacks like phishing. Finally,
Workforce training is included in The HIPAA E-Tool® for both the basics and for security awareness.
The most complete, authoritative and affordable HIPAA compliance solution is within reach at The HIPAA E-Tool®. It is easy to use, and backed up with friendly, reachable customer service staff to answer your questions. Check us out at thehipaaetool.com.
NOTE [1] The Centers for Medicaid & Medicare Services (CMS) mandates covered entities seeking financial incentives to conduct a HIPAA Risk Analysis once a year. HIPAA regulations require “ongoing and continuous” Risk Analysis – Risk Management. A minimum of once a year has evolved as a best practice due to the CMS requirement, although if an organization is not seeking financial incentives through CMS, a Risk Analysis once a year is not mandated but is recommended, and may be required more often if circumstances change (e.g., new systems or equipment, a security incident).