Let’s be honest: trying to figure out how to make sure your healthcare practice maintains HIPAA compliance is about as simple and stress free as putting together Swedish furniture while riding a unicycle on a first date. You think, oh there are only these 3 rules I must follow, what could be the big deal? Well, Karen, the big deal is these 3 rules (the HIPAA privacy, security, and breach notification rules) each have subparts, standards, and safeguards. And within these subparts, standards, and safeguards there are various implementations, definitions, procedures, processes, agreements, and controls. Add to that the fact that failure to comply with HIPAA regulations can result in massive fines, civil action lawsuits, and/or criminal charges being filed should a breach of Patient Health Information occur. Now, unicycling with Sven while building that coffee table is looking like the perfect Sunday afternoon.
So where do you even begin? Just like Sven wants to make sure you have the right allen wrench and all the parts of the coffee table, let’s start by defining the terms you need to know.
Covered Entity: A covered entity is a health care provider, a health plan or a health care clearing house who, in its normal activities creates, maintains or transmits ePHI using the electronic data interchange.
Business Associate: A business associate is a person or business that provides a service to – or performs a certain function or activity for – a covered entity when that involves having access to PHI maintained by the covered entity. Examples of Business Associates include lawyers, lab techs, accountants, IT contractors, billing companies, cloud storage services, etc.
Angela Simmons, a Certified HIPAA Professional and Certified Cybersecurity expert from CentraVance Consulting, suggests the following 5 Steps towards HIPAA compliance.
5 Steps towards HIPAA Compliance
Step One: Risk Assessment and Analysis HIPAA rules require that covered entities and their business associates evaluate their ePHI, and all associated risks and vulnerabilities. This is different than a meaningful use risk assessment which only looks at the Electronic Health Records (EHR). HIPAA requires that an entity evaluate ALL ePHI coming in, going out, being created, stored, or maintained by or for the entity. A risk assessment is not a one-time requirement, but an ongoing task necessary to ensure continued compliance.
Step Two: Risk Management Once risk assessment is completed, an entity must evaluate threats and vulnerabilities to determine what measures need to be implemented to ensure the security of ePHI. Entities must evaluate and MANAGE risk. Are there reasonable and appropriate controls or measures that can be implemented to help protect the confidentiality, integrity and availability of the ePHI owned or held by the practice?
Step Three: Training No compliance program is ever complete without training. The greatest risk to an organization will always be the human factor. ALL staff need to be trained on the tenets of the HIPAA rules. This should occur on initial hire and at least annually. The “human element” can be a big problem, and quite honestly, may always remain a large problem in the healthcare industry. Most often employees are trying their best—but if they’re not properly trained, they won’t know any better and might open a phishing email or click on a malicious link. Training your employees properly and frequently will pay dividends when your employees stop an attacker or malware dead in their tracks.
Step Four: Policy and Procedure Often entities have many of the tenets of the HIPAA rules in place but have no supporting documentation. The rules require documentation. We should treat HIPAA like we do medical or dental records: if it’s not in writing, in didn’t happen. Your Compliance Plan should include Policies and Procedures ensuring the Privacy and Security of Protected Health Information and the Security of such information. Policies and Procedures need to be updated regularly and any changes need to be clearly documented and communicated to your staff. The “I didn’t know” defense is truly no defense at all.
Step Five: Forms and Contracts HIPAA rules allow us to use patient information for treatment, payment and healthcare operations without authorization. In order to share information outside of those three parameters, we need authorization. Authorization must be HIPAA compliant, which means it must contain certain elements as outlined in the HIPAA rules. Other forms and contracts might be medical release records, restriction forms, amendment request forms, and accounting of disclosure forms. Perhaps the most important form though is the Notice of Privacy Practices and its companion form the Acknowledgement of Receipt of Notice of Privacy Practices. These notices must not only be readily available to any person who asks for it, but a covered entity must prominently post and make available its notices on any web site it maintains that provides information about its customer services or benefits.
These five steps are not exhaustive to everything a covered entity must do in order to be HIPAA compliant. Like that furniture building date with Sven, there are a lot of moving parts and much is at stake. So get off the unicycle. Call Angela at CentraVance Consulting today for a free reputation risk assessment and to help make sure your healthcare practice is on the right path!