Today’s blog is aimed at people who have a HIPAA compliance program, but want to do better and avoid expensive mistakes. We’ve chosen three top priorities to adopt as your resolutions to improve your HIPAA compliance now.
We can also help if you do not have HIPAA policies yet and want to get started! Call us, or fill in the contact page and we can help you launch a solid HIPAA compliance program.
Your HIPAA Risk Analysis Reveals Your HIPAA Checklist
If you already have completed a Risk Analysis, congratulations! This is the single most important thing to do to ensure HIPAA compliance. Refresh, review, and keep it up to date.
Are you following the Risk Management plan that should have come from the Risk Analysis? In nearly every HIPAA settlement with the Office for Civil Rights (OCR) over the last several years, providers and business associates are guilty of an incomplete Risk Analysis, or failing to follow up with a Risk Management Plan.
The point of Risk Analysis-Risk Management is to evaluate where your risks are – everyone has risks – and develop a plan to manage those risks. It’s an ongoing process. When you know the steps you can do them yourself, and easily manage the follow-up.
Once the Risk Analysis is complete, there should be a to-do list, with tasks and completion dates to be reviewed and finished over the coming year. This is your personalized HIPAA checklist.
Our Risk Analysis module contains all the HIPAA checklist items from the National Institute of Standards and Technology (NIST), which many describe as a Security Risk Assessment. All the rules and safeguards the IT team needs are here. Guidance about electronic protected health information, data backup, access controls, etc., are laid out.
Repeat the Risk Analysis once a year, since circumstances change with new staff, equipment, and vendors (business associates). Once you complete it the first time, your work becomes much easier the second time and each year after with The HIPAA E-Tool® because your Risk Analysis is archived, saving all your work.
Review Your Business Associates
If you are a covered entity, look at your vendors to decide which ones are business associates. Basically, vendors who create, receive, maintain or transmit protected health information are business associates – common ones include coding, billing, and collection companies. Data storage companies, IT consultants, lawyers and accountants may be on your list.
All business associates are separately responsible for HIPAA compliance and covered entities are required to have business associate agreements with them. If you are a business associate, do you have subcontractor business associates? And subcontractors should have subcontractor business associate agreements with their subcontractors.
One of the largest HIPAA lawsuits in 2019 was caused by a business associate collection company, under contract to LabCorp and Quest. The American Medical Collection Agency (AMCA) caused a breach of over 20 million patients – multiple class action lawsuits were filed in federal courts across the country, and AMCA declared bankruptcy. LabCorp and Quest may also face lawsuits and fines, depending on their business associate agreements, and whether they required HIPAA compliance from AMCA.
Follow Your Patient Right of Access Policy
Patients have the right to obtain their own medical records and it should be easy, prompt and at no, or minimal, cost. Make sure everyone in the workforce who has contact with patients understands this and is ready to follow through.
OCR adopted a “Right of Access Initiative” in 2019, to encourage covered entities to follow the HIPAA right of access rules. They have settled two cases recently, announced in September and November of 2019. Bayfront Medical and Korunda Medical both paid $85,000 settlements and entered Corrective Action Plans after OCR found that they failed to provide patients with access to their records.
Look for more cases like this in 2020.
The HIPAA E-Tool® Has Everything You Need for Strong HIPAA Compliance
- An interactive Risk Analysis-Risk Management module – do it once, archive it for next year and it becomes the core of your HIPAA compliance – every checklist and reminder you need is there.
- A business associate policy, with a draft business associate agreement, ready for you to fill in the blanks and tailor to your situation.
- For business associates, The HIPAA E-Tool® Business Associate Edition is dedicated specifically to your needs, not to covered entities.
- A complete up-to-date policy dedicated to the Patient Right of Access, with HIPAA compliance tips.