Are you a healthcare practice manager or a third-party vendor that needs to stay on top of HIPAA regulations? Protecting patients’ health information is paramount, yet navigating the ever-changing rules can quickly become overwhelming. We know it’s tough out there, but we’re here to help.
That’s why we’ve compiled the top three most common HIPAA issues that often trip up even experienced administrators and practical tips for fixing them quickly and efficiently.
The negative consequences of noncompliance include data breaches, investigations, lawsuits, and fines. If you stay ahead of the game, you can avoid all this and save time and money.
Risk Analysis is Missing or Incomplete
A Risk Analysis will uncover risks to the protected health information (PHI) in your care. You begin with an inventory of all the PHI locations, both electronic and non-electronic. Then step-by-step, evaluate and make judgments about the level of risk for each piece. Do this once a year.
Since so much PHI is electronic, a big chunk of the Risk Analysis is a security risk assessment to reveal potential weaknesses in your digital infrastructure. As the Risk Analysis proceeds, you’ll be able to create your own Risk Management plan to stay on top of compliance throughout the year.
A Risk Analysis does not need to be done all at once, in one day or even one week. To review the steps, see HIPAA Risk Analysis Demystified.
For more information about ransomware see StopRansomware Guide.
How to Fix an Incomplete Risk Analysis
Start by informing other team members that the Risk Analysis needs to be refreshed or completed anew; if possible, assemble a team to help. If your organization is smaller and you’re working by yourself, you can still complete the work. It may take longer, but that’s okay. Get started.
- List all the locations of PHI
- Assign a risk level to each
- Decide who will follow up to fix each issue
- Document completion
- Do a separate analysis for each office location
Each step needs to be documented so you can prove your work. You need to be able to show OCR (or a judge or State Attorney General) what you did and when to prove you are taking HIPAA seriously and protecting patient data.
HIPAA Training Should Include Cybersecurity Awareness
Two kinds of training are required – general HIPAA concepts and cybersecurity awareness.
Most healthcare data breaches occur through phishing and other low-tech hacking methods. Therefore, the workforce needs training about how to recognize phishing and other intrusions, and what to do if it happens.
While organizations often remember to provide general HIPAA training, too often they don’t go the extra step of providing cybersecurity awareness training.
In all cases, training needs to be relevant to the workforce member’s job responsibilities.
Improve HIPPA Training
- Cover HIPAA basics first
- If cybersecurity awareness is not included, add it to the curriculum
- Tailor the training to each workforce member’s job
- Provide it on a regular basis (at least annually)
Failure to Patch and Update Software
One of the most common causes of healthcare data breaches is vulnerable software. And it can happen to the biggest, most well known companies, like Microsoft, Adobe, and Apache. Software patches tend to be overlooked – but when the vendor offers them it’s critical to pay attention and apply the fixes as soon as possible.
HIPAA requires that organizations keep software up to date. Make it a priority and you’ll save time and money by preventing breaches and expensive investigations and penalties for noncompliance.
Update and Patch All Software
- Review your software to ensure it’s up to date
- Make patching a top priority; review, update and patch on a regular basis as needed
Here is a recent update from the Cybersecurity Infrastructure Security Agency (CISA) about routinely exploited software vulnerabilities.
The HIPAA E-Tool® Makes Compliance Easy
We make HIPAA easy to understand, with plain language explanations and step-by-step guides – from Policies to Risk Analysis to Training, The HIPAA E-Tool® has you covered.