“Continuous improvement is better than delayed perfection”
This may be a cliche, but is still true! It’s human nature to want to do the best and do a perfect job, but it can get in the way of doing better, now, today.
In our surveys of healthcare organizations, most report they are complying with HIPAA. The devil is in the details though. Those same organizations admit they know they can do more, but aren’t sure what is missing. How can they improve?
- Risk Analysis – Risk Management
- Workforce training
- Business associate due diligence
HIPAA Enforcement Now and in the Future
Lisa J. Pino is the new Director of the Office for Civil Rights (OCR), the agency responsible for enforcing HIPAA. Some believe that one area she is likely to focus on is HIPAA Risk Analysis – Risk Management, since nearly every published settlement of alleged HIPAA violations in recent years reveals that healthcare organizations are not doing it, or not documenting what they are doing. Another focus will likely be a continuation of OCR’s Right of Access Initiative, begun in 2019. The HIPAA Right of Access rules require that patients are able to access their own medical records, easily, promptly and at minimal or no cost.
HIPAA Risk Analysis – Risk Management
This is by far the most important step, and it should be completed at least once a year. Risk Management is an ongoing responsibility under HIPAA, 365 days a year, but the analysis itself should be completed once, then refreshed regularly, as circumstances change.
It is understandable why organizations fall short. Regulators don’t make it easy. The OCR guidance on Risk Analysis is not well organized or all in one place.
At The HIPAA E-Tool® we’ve organized the HIPAA Risk Analysis requirements in logical, easy-to-follow order. Once you go through the steps, everything is documented so if you are audited or investigated, you can prove you did the work.
We have lots of guidance about HIPAA Risk Analysis, the basic overview, how to make choices about risks, the Security Rule Checklist, and how NIST interacts with HIPAA. The HIPAA E-Tool® itself has more details and step-by-step instructions to complete every requirement.
Because of cybersecurity risks in the world today everyone, everywhere across industries, for home and for work, should take cybersecurity awareness training. In healthcare one of the most common entry points for cyber thieves is still through email. Phishing and spear phishing invite unsuspecting staff to open attachments and links, allowing hackers access to otherwise secure systems.
Business Associate Due Diligence
In healthcare, business associates are a critical part of nearly every covered entity’s function, essential for smooth operations. But a recent study reveals that healthcare organizations are not prioritizing business associate risk management. In fact, many organizations across industries are not doing enough third party risk management, even though they are aware of the cybersecurity risks of sharing data with them. Left unchecked, third party vendors’ risks can become huge and costly for their customers. Two of the largest breaches in the U.S. in the past three years have occurred at business associates.
One task during Risk Analysis is to make a list of business associates (business associates should list subcontractor business associates). Once a list is made, HIPAA rules require a due diligence review. Note, this due diligence does NOT mean taking over the vendor’s responsibility to do their own compliance work. It means asking the right questions, and ensuring you have an appropriate business associate agreement in place.
The HIPAA E-Tool® Can be Your Guide
You do not need to do everything all at once. You can improve step by step and greatly reduce your risks.
HIPAA compliance is a process and takes time to do completely, with care. If you believe you’re doing everything you need to, that’s great. If you think you could improve, we have the tools to help you figure out what’s needed, and steps to take you there.