If you have questions about where to start with compliance, you are not alone. We are often asked about how to get started, and the questions comes from all levels – from those just beginning, but also from others who have a compliance program and want to improve. The questions vary from:
“where do we begin?” to
“how can we improve?” to
“what’s missing?”
Both covered entities and business associates are looking for ways to improve, but getting started can be time-consuming and confusing. If you do an internet search you’ll see dozens of vendors ready to sell you compliance tools, but how do you know what you need?
HIPAA Compliance Basics
HIPAA requires that covered entities and business associates have Administrative, Technical and Physical Safeguards in place to protect the privacy and security of patient information in their care. But there is no “one size fits all” solution for HIPAA compliance. Each organization is unique, and the key is to build your own compliance program tailored to your situation. It is not that hard, and you can get there by following the fundamentals step-by-step.
I. Conduct a Risk Analysis
A HIPAA Risk Analysis is designed to to identify the specific threats to the privacy and security of protected health information (PHI) in your organization. A big part of it includes a security risk assessment to reveal potential weaknesses in your digital infrastructure. When it’s feasible, the Risk Analysis works best when a team of people work on it together. A team approach helps ensure that none of the issues slip through the cracks, and also helps build a culture of compliance among everyone on the workforce.
Once the analysis is complete, your organization should assign responsibility to someone for addressing each vulnerability to reduce the risks as much as possible. The team approach permits you to assign risk management follow-up to employees in a way that complements their role, e.g., IT staff, or an outside IT consultant can follow up to secure software updates, evaluate password protection policies, access controls, etc., and HR can organize HIPAA training. In a smaller office with one compliance person doing most of the work, organization and setting priorities are key. Fortunately, the E-Tool guides you step-by-step through the process with help that’s a phone call away.
The Risk Analysis section of the E-Tool provides an easy to use form to assign action steps and deadlines, all saved and documented as your Risk Management plan. You can also track your workforce training and business associate agreements, with guidance about how to manage business associate risks.
II. Maintain Up to Date HIPAA Policies and Procedures
Policies set forth your organization’s understanding and acceptance of HIPAA requirements while procedures give you the how-to tools to follow the policies. The procedures also help you manage the specific threats to PHI security by reducing their level of risk to a reasonable level.
An example of a policy is one that supports the patient right of access to their own medical records. The procedures might include naming one person in the organization to respond to requests, and having a clear process for answering requests for access to ensure they comply with HIPAA law – the responses should be prompt and at no (or a reasonable, low) cost to the patient.
III. Provide Role-Based Training
Employees are the backbone of a HIPAA compliance program. So they need training to learn about the safeguards they must apply related to the PHI they encounter in their jobs.
Although most health records are now maintained electronically, healthcare remains a people oriented field. Everything that happens in healthcare requires people interacting with other people – other professionals or patients or the public. Staff need to learn the HIPAA basics, and beyond that, specifics relevant to their job responsibility.
In addition to learning the basic safeguards of maintaining privacy and security of PHI, cybersecurity awareness training is essential today.
Effective training needs to be relevant, and should be targeted to the employee’s job responsibility. Everyone doesn’t need to know everything.
IV. Continuous Review Year-Round
Repeat, review, retrain. Keep policies up-to-date with current law and enforcement trends. Check in with staff to make sure they understand their responsibilities for keeping patient information secure and are maintaining the safeguards.
Monitor the risk management plan and make sure tasks are being completed. If there is a significant organizational change, e.g., added an office location, acquired new equipment, purchased or merged with another practice, open the HIPAA risk analysis and update it with new information. Don’t wait til the end of the year.
Help with HIPAA Compliance is Available
Whether you are beginning to build your compliance program, or you’re a seasoned professional who wants to refresh what you have, we would love to help. We have what you need, tailored to your situation.