Strengthen your compliance by focusing on these top priorities in 2023. Learn the most efficient way to accomplish the most to keep patient data safe and avoid enforcement issues.
Update Your HIPAA Risk Analysis
A top enforcement priority of HIPAA regulators is the annual risk analysis. A security risk assessment is key, but the full HIPAA risk analysis is more comprehensive, addressing your organization’s physical layout, staffing and the human resources side of compliance. For a deep dive on the security risk assessment part, see how The HIPAA E-Tool® organizes the Security Rule Checklist.
A Risk Analysis should be completed annually, documented and archived. For a jump start on how to get this done, see HIPAA Risk Analysis Checklist
Review Your HIPAA Policies
You may find policy changes are required based on what’s discovered in the Risk Analysis, so do that first.
HIPAA policies and procedures need to be up-to-date. Make sure yours reflect current HIPAA regulations. Later this year you may need to modify your policies because changes are coming. But for now, review them to make sure they’re in sync with current law and then the changes will be easier to make in coming months.
Strengthen Workforce Training
Staff are both the strongest defense and weakest link when it comes to protecting patient data and maintaining compliance.
HIPAA requires training and it should be tailored to fit the person’s job responsibilities, so it is not one-size-fits-all. Everyone should receive cybersecurity awareness training, but beyond that, make sure staff who work with patients understand, for example, the patient right of access rules, a top HIPAA enforcement priority. The person responsible for evaluating PHI breaches should be trained on the breach notification rule and have the right procedures in place to manage and report breaches.
All staff should receive training when they’re onboarded and periodically afterward, at least once a year.
Prioritize Resources for IT Staff
Review whether IT staff has the resources needed to maintain cybersecurity in top shape. They should be receiving the most up-to-date information about health data security – this changes rapidly but there are critical resources available, from HC3, CISA, HHS and the FBI. None of these resources are trying to sell you services and they are dependable with news you need to know about how to protect data. They publish alerts, warnings, and detailed guidance about how to respond to specific threats. Here is an example of one from HC3 published earlier this month about Royal and BlackCat ransomware threats to healthcare.
Business Associate Due Diligence
Healthcare business associates are priority targets of cyber thieves because they usually have multiple covered entity customers and have so many more files or bits of information in one place.
Make sure you know which of your third party vendors are business associates, or if you are a business associate, do you have subcontractor business associates? Conduct your due diligence and review whether you have up-to-date business associate agreements (or subcontractor BAAs) in place with each.
The HIPAA E-Tool® Can Help
An efficient, modern easy to use tool that automates compliance and teaches you what you need to know is waiting for you.
But if you just have a question about how to improve compliance, let us know. You don’t have to buy anything to ask a question or watch a demo. We can help.
