kettlebells with

Step Up Your Game in HIPAA Compliance

Three priorities will take you a long way toward improving your HIPAA compliance. Taking cues from security experts and the Office for Civil Rights (OCR) enforcement over the past year, our three suggestions are: 1. Complete (or refresh last year’s) Risk Analysis, 2. Review your breach notification policies and 3. Ramp up workforce training.

Risk Analysis-Risk Management

OCR requires that Risk Analysis should be continuous and ongoing, and updated as needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii)). The Risk Analysis uncovers issues that need to be addressed, leading to a Risk Management plan that can be implemented as time and resources permit. You don’t need to get an “A”, you just need to do it for an honest assessment and a plan to improve.

The two key elements to a successful Risk Analysis are:

  • It is more than a “Security Risk Assessment”. This is a common misunderstanding, causing people to focus only on electronic records. Yes, the EHR system should have security safeguards to help maintain HIPAA compliance, but the overall Risk Analysis-Risk Management Plan includes an inventory of non-electronic information, a physical site assessment, workforce training, and business associate review (for covered entities).
  • The Risk Analysis needs to be site specific. For organizations with more than one site, this means that each location should be evaluated on its own because the physical layout, workforce members and risks are different.

The HIPAA E-Tool® has step by step guidance to help you do your own Risk Analysis without expensive outside help. Once you complete your first one, you Archive it with one click and it’s ready for review next year[1] SEE NOTE BELOW. Each year after the first one is easier, and our customer service guarantees you won’t get stuck – we help you when you need it!

Breach Notification

The key here is to do everything possible to prevent breaches from happening. According to the 2018 Verizon Data Breach Report, more than half of all data breaches in the healthcare industry are caused by insiders (more than other industries). Motives are most often financial gain, followed by curiosity. How are these prevented? Through training, and sanctions against workforce members who don’t comply.

Outside threats still account for huge numbers of breaches and are expected to increase in 2019. Experts predict there will be more sophisticated and believable “spear phishing” attacks on all devices, including phones and tablets. They will involve more complex technology and will include some sponsored by foreign states. The best prevention involves awareness and training.

Breach Notification policies and procedures in The HIPAA E-Tool® guide you through what to do when a potential breach occurs – how to report it internally, and to whom. Compliance staff and management need to know how to analyze whether a ‘potential breach’ is a ‘breach’ which must be reported to OCR and if so, what other steps need to be taken. Some states have more stringent requirements regarding Breach Notification and The HIPAA E-Tool® has a table of state laws for quick reference. Take the guesswork out of handling a Breach with our Breach Risk Assessment tool.

Workforce Training

Not only is training required by HIPAA, but an educated workforce is the first and best defense against noncompliance and outside security threats. Do not forget to provide training to the C-Suite. Top executives and Boards of Directors are being held accountable for HIPAA compliance by OCR, not just compliance staff.

Management and the wider workforce need to understand basic HIPAA concepts to foster a culture of compliance. This includes how to interact with patients, family members and the press, but also security awareness to avoid cyber-attacks like phishing. Finally,

Workforce training is included in The HIPAA E-Tool® for both the basics and for security awareness.

The most complete, authoritative and affordable HIPAA compliance solution is within reach at The HIPAA E-Tool®. It is easy to use, and backed up with friendly, reachable customer service staff to answer your questions. Check us out at

NOTE [1] The Centers for Medicaid & Medicare Services (CMS) mandates covered entities seeking financial incentives to conduct a HIPAA Risk Analysis once a year. HIPAA regulations require “ongoing and continuous” Risk Analysis – Risk Management. A minimum of once a year has evolved as a best practice due to the CMS requirement, although if an organization is not seeking financial incentives through CMS, a Risk Analysis once a year is not mandated but is recommended, and may be required more often if circumstances change (e.g., new systems or equipment, a security incident).

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

3534 Washington Avenue, Saint Louis, MO 63103
Terms of Service | Privacy Policy

Powered by JEMSU

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free