HIPAA regulations are tricky, challenging, and full of pitfalls for the smallest of practices and business associates all the way to the largest enterprises. The introduction of the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 further complicates matters.
Our approach pivots the traditional advice, making compliancy practical and easier to follow.
Pitfall: Creating non-HIPAA compliant Technical and Cybersecurity systems
Solutions:
- Create and document specific HIPAA requirements, include checklists for period validation.
- Physically and technically secured all devices.
- Implement encryption with Multi-Factor Authentication (MFA) controls even on devices not leaving your facility.
- Create a robust Risk assessment based on your current business and compliance requirements.
- Do not allow any non-controlled devices access to any system containing ePHI (Electronic Protected Health Information); especially, personally owned devices.
- Remember, no organization is too small to audit.
Pitfall: Failure to manage data according to HIPAA requirements
Solutions:
- Create a comprehensive Vendor Management program; include due diligence activities such as data classification, HIPAA requirements, and technical requirements.
- Know, document, and classify all data, storage, and usage systems (data at rest, transit, and transaction).
- Digitally validate ePHI systems on all local system and end user devices.
- Respond to ePHI requests in a timely manner.
- Destroy physical and digital data in accordance with HIPAA requirements.
- Send Data breach notifications in accordance with HIPAA requirements.
Pitfall: Users activities that are not HIPAA compliant
Solutions:
- Ensure staff are trained and prepared to handle ePHI
- Conduct periodic training.
Include topics such as :
- System usage and cybersecurity hygiene
- Social Breaches – talking about patients
- Employee Curiosity
- Password Management
- Messaging ePHI
- Accessing and storing ePHI from unauthorized locations
- Periodically test your users on HIPAA and cybersecurity practices
- Create a culture that encourages employee honesty and integrity
Pitfall: Not managing Business Associates Agreements (BAA)
Solutions:
- Maintain an active roster of all Business Associates.
- Include elements specified at 45 CFR 164.504(e) in the contract or other written arrangement with Business Associates.
- Require all Business Associates to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
- Periodically review BAAs.
Pitfall: Trying to be HIPAA compliant alone
Solutions:
- Create a partnership of resources. This includes industry associations, professional peers, and 3rd party support vendors.
- Include government resources in your program:
- HIPAA for Professionals: https://www.hhs.gov/hipaa/for-professionals
- Security Rules: https://www.hhs.gov/hipaa/for-professionals/security
- NIST based HIPAA Security Rule Toolkit https://csrc.nist.gov/projects/security-content-automation-protocol/hipaa
- Business Associate Guidelines https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates