The internet abounds with HIPAA information and recommendations, it is easy to be overwhelmed by the plethora of suggestions. A quick internet search of “HIPAA basics” reveals millions of returns ranging from government requirements to implementation applications.
The following framework simplifies the approach to HIPAA compliancy. Each step should be aligned with your organizational requirements, this applies to Covered Entities and Business Associates.
- Create a Formalized Program. Your protective program should focus on enhancing operations while preventing HIPAA violations. Be intentional, seek improvements, and keep it up to date.
- Policies, Practices, Procedures, and Standards. Included Risk Management, Business Continuity, Disaster Recovery, Incident Management, Change Management, and other ancillary programs required to support your mission and HIPAA requirements.
- Name a Privacy, Security, and Compliance Officer(s). This role(s) should include operational and technical oversight.
- Preform Periodic Self-Audits. Track your results and manage your deficiencies.
- Implement the 3 HIPAA Safeguards.
- Technical – 45 CFR §164.312 series – Technical mechanisms to manage access, authentication, encryption, and logging for ePHI data. Don’t limit your technical controls to items listed in 45 CFR, include other relevant cybersecurity practices.
- Physical – 45 CFR §164.310 series – Physical protection for facilities, workstations, mobile devices and other hardware.
- Administrative -45 CFR §164.308 series – The active management and reporting of HIPAA programs.
- Other recommended safeguards Organizational – 45 CFR §164.314 & §164.316 series – Business Associate management and operationalizing programs.
3. Manage Business Associates. You may subordinate activities to another organizations; however, you accountable for their activities and required to take reasonable steps to cure breaches or end violations. You must create and maintain contracts with all Business Associates; contracts must contain all requirements specified in 45 CFR 164.504(e).
4. Document. You should document all your HIPAA requirements and efforts towards compliancy. This includes program documents, like Risk Assessments, Self-Assessments, and Remediation Plans.
5. Training. Programs, policies, and standards are not effective unless you teach your users about the rules and responsibilities. Don’t try to force all learning into a single session; instead; create an effective training program that is constantly training and implementing your culture and programs.
Bonus Tip: Do not do attempt HIPAA compliancy alone; consider trade associations, professional peers and 3rd party vendors.
Resource: HIPAA Basics | HealthIT.gov
- Evaluate your current program. Is it up to date?
- Are your policies, practices, and standards current?
- How do you stack up against the 3 HIPAA safeguards? Consider a formal checklist.
- Double check your Business Associates. Are all BAs covered by a contract? Are the contracts up to date?
- Verify that you are managing all documentation. Ensure that it is organized, accessible, and up to date.
- Train, Train, then Train more. Make sure that your training program is engaging your users, the material is relevant, and effective.