Healthcare organizations and their business associates are required to operate in compliance with HIPAA regulations or face civil and/or criminal penalties. HIPAA, the Health Insurance Portability and Accountability Act, was originally enacted in 1996 but has been amended several times in response to the changing technological climate.
Most recently, in 2013, the Final Omnibus Rule was added, which included changes to two of its central tenets – The Security Rule and the Breach Notification Rule. The Final Omnibus Rule involves the inclusion of business associates in a compliance plan. In other words, providers are now required to ensure that every member in the patient information chain is fully compliant with HIPAA regulations.
With this in mind, how do you guarantee that everyone involved – from your mobile app developers to your hosting and cloud services provider – are fully compliant with every aspect of the law? Follow these seven steps to better understand how to ensure compliance and mitigate your risk of a breach:
Adopt and implement a comprehensive security policy. Ensure that all employees receive appropriate training in these policies, and run frequent quality assurance checks to make sure they’re followed. You should also require this training for all third-party vendors.
- Hire a Dedicated Security Staff
HIPAA is a complex federal statute, and as such, merits having staff members dedicated strictly to compliance protocol. You may need to hire one or more individuals in charge of executing policies and training related to patient information.
- Have an Internal Auditing Process
Get in the practice of performing regular risk assessments to evaluate the likelihood of a breach and apply corrective measures where necessary. Test your policies and procedures. Require your business associates to follow a similar protocol. While HIPAA does not specifically stipulate a required number of internal audits, quarterly checks are a good start. Document the results of your internal audits and changes that need to be made to your policies and procedures. Develop and execute a plan to review and update your policies and procedures based on your internal audit results.
- Stipulate Specific Email Policies
Generally speaking, email is not a secure form of communication. HIPAA doesn’t exclude email as a method of communicating patient information – however, you must take steps to ensure your organizational email is encrypted and be able to document that fact.
- Establish Explicit Training Protocols
Not only should you train all employees and vendors in HIPAA-related security protocols, but you should also develop security-related refresher courses and continuing education. The upfront investment will far outweigh the cost of a potential breach, which can have legal, financial and reputational repercussions for your business. Document that training has been completed by your employees and vendors.
- Understand Breach Notification Requirements
The language addressing the steps you must take in the case of a data breach is very specific, and you must follow the established protocol. Take the time to read the Breach Notification Rule, doing so can help you understand what constitutes a breach, what steps you can take to avoid a breach, and even what documentation you need to prove the limited impact of a breach in order to avoid as much business impact as possible.
- Secure Relationships with Business Associates
Under HIPAA, all of your vendors and business associates must comply with all the provisions of the statute. Take special precautions to make sure your business associates are HIPAA-compliant and follow proper procedures. Have documentation that asserts their compliance, and obligates them to follow training and auditing procedures if necessary.
Maintaining HIPAA compliance is an exercise in diligence and a commitment to ongoing education. Implementing an appropriate level of preparation now can save you costly fines, damage to your company’s reputation and possible legal action later on. Developing and following an established set of procedures, based on HIPAA mandates will minimize your risk of being found noncompliant.
Additional Resources on This Topic