Healthcare organizations and their business associates are required to operate in compliance with HIPAA regulations or face civil and/or criminal penalties. HIPAA, the Health Insurance Portability and Accountability Act, was originally enacted in 1996 but has been amended several times in response to the changing technological climate.
One major update took place in 2013. The Final Omnibus Rule was added and included changes to two of its central tenets, The Security Rule, and the Breach Notification Rule. The Final Omnibus Rule involves the inclusion of business associates in a compliance plan. In other words, providers are now required to ensure that every member in the patient information chain is fully compliant with HIPAA regulations.
With this in mind, how do you guarantee that everyone involved from your mobile app developers to your hosting and cloud services provider are fully compliant with every aspect of the law? Follow these seven steps to better understand how to ensure compliance and mitigate your risk of a breach.
1. Develop a Cohesive Privacy Policy
Adopt and implement a comprehensive security policy. Ensure that all employees receive appropriate training in these policies and run frequent quality assurance checks to make sure they’re followed. You should also require this training for all third-party vendors.
Developing these cohesive HIPAA privacy policies will provide a foundation for quality patient care and operation success. These policies should set expectations, guide daily activity, and reduce mistakes.
It can be difficult to know exactly what to document due to the complexity of HIPAA requirements. A good rule of thumb is to cover anything that relates to patient health information (PHI).
This privacy policy should be reviewed regularly and any changes that are made need to be clearly documented and communicated to employees. Unfortunately, “I didn’t know” is not an acceptable defense. By regularly reviewing your privacy policy, you can see progress over your past and current plans. This will also help to determine what your future policy should look like.
Once you have created cohesive HIPAA privacy policies, it is time to put them into practice. It is important to have communication plan to convey these policies in chunks, so employees are not overwhelmed by the amount of information. Consider requiring employees to sign off on the privacy policies to add another layer of protection in case issues arise.
2. Hire a Dedicated Security Staff
HIPAA is a complex federal statute, and as such, merits having staff members dedicated strictly to compliance protocol. You may need to hire one or more individuals in charge of executing policies and training related to patient information.
Some healthcare organizations hire a dedicated HIPAA Security Officer. While this may not be a possibility for all businesses, those who focus strictly on healthcare compliance should consider it. According to HIPPA Journal, “the HIPAA Security Rule stipulates the person designated the role of HIPAA Security Officer must implement policies and procedures to prevent, detect, contain, and correct breaches of ePHI.” Some responsibilities of a dedicated security staff member could include:
- Establishing, managing, and enforcing the Security Rule safeguards and any rules issued by OCR
- Addressing issues related to access controls, business continuity, disaster recovery, and incident response
- Conducting risk assessments and aiding in third-party audits, especially in regard to business associates and third-party vendors
- Investigating any data breaches and rectifying any problems by implementing measure for future containment
- Integrating IT security and HIPAA compliance with the organization’s business strategies
Many policies will affect the operation of the IT department, so it is important a HIPAA Security Officer understands the Covered Entity´s computer systems. Because the responsibilities are so varied, it is important to find a candidate that is in a position of authority, has strong organizational skills, and has a thorough understanding of HIPAA and any other compliance regulations you must comply with.
3. Have an Internal Auditing Process
Get in the practice of performing regular risk assessments to evaluate the likelihood of a breach and apply corrective measures when necessary. Test your policies and procedures. Require your business associates to follow a similar protocol.
In the event your organization is selected for a random HIPAA audit, it is best to prepare with your own internal audits. You can start by using resources like the Office of Civil Rights (OCR) for checklists and risk assessment tools. “The OCR has a beautiful website with useful tools. The AMA and Healthcare Information and Management Systems Society also have privacy and security sections on their sites,” said Monica Moldovan, health information privacy and security manager for the University of California, Davis Health System.
Documentation and employee trainings are a great start, but it is important to put this knowledge to the test. Do a walk-through and look for things like patient information visible on desks or computer screens. Make sure passwords a good length and require employees to update them at least every 90 days. Electronic data is a common source of data breaches, but employees and physical paperwork can be too. Be sure to diligently audit both.
While HIPAA does not specifically stipulate a required number of internal audits, quarterly checks are a good place to begin. Document the results of your internal audits and changes that need to be made to your policies and procedures. Develop and execute a plan to review and update your policies and procedures based on your internal audit results.
4. Stipulate Specific Email Policies
Generally speaking, email is not a secure form of communication. HIPAA does not exclude email as a method of communicating patient information. However, you must take steps to ensure your organizational email is encrypted and be able to document that fact.
The standard for transmission security has been updated to enforce the use of encryption. This means that each covered entity must assess its use of open networks, identify the available and appropriate means to protect electronic PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for electronic PHI to be sent over an electronic open network (such as the internet) as long as it is adequately protected.
Train employees on email security best practices. Encourage strong email passwords, start using multi-factor authentication, and avoid phishing emails. To help cut down on phishing emails, use a robust spam filter. You can often change the setting in your spam filter to block out any emails that contain specific words or phrases. Other best practices are to never open unexpected attachments or click on links without verifying its legitimacy.
5. Establish Explicit Training Protocols
Not only should you train all employees and vendors in HIPAA-related security protocols, but you should also develop security-related refresher courses and continuing education. The upfront investment will far outweigh the cost of a potential breach, which can have legal, financial, and reputational repercussions for your business. Document that training has been completed by your employees and vendors.
With regard to the question of how often HIPAA is training required, the Privacy Rule and Security Rule both offer suggestions without mandating specific timeframes. According to the Privacy Rule, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity´s workforce” and also when “functions are affected by a material change in polies or procedures” – again within a reasonable period of time.
Craft your HIPAA security trainings around the functions and roles of your employees. A training for the IT team will most likely be different than one for medical staff. While this may be time consuming, it will be the most effective form of training for everyone and will help to reduce risks of breaches and fines.
6.Understand Breach Notification Requirements
The language addressing the steps you must take in the case of a data breach is very specific, and you must follow the established protocol. Take the time to read the Breach Notification Rule, doing so can help you understand what constitutes a breach, what steps you can take to avoid a breach, and even what documentation you need to prove the limited impact of a breach in order to avoid as much business impact as possible.
According to the Department of Health and Human Services, following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Breaches of unsecured protected health information affecting 500 or more individuals is posted to the Health and Human Services Office for Civil Rights breach portal. The best way to provide timely notification and comply with the rule is to understand what it requires, then to establish and refine breach notification policies and procedures. Organizations should also consider developing and implementing a cyber incident response plan that includes breach notification as part of a broader emergency preparedness and disaster recovery program.
7. Secure Relationships with Business Associates
Under HIPAA, all of your vendors and business associates must comply with all the provisions of the statute. Take special precautions to make sure your business associates are HIPAA compliant and follow proper procedures. Have documentation that asserts their compliance and obligates them to follow training and auditing procedures if necessary.
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Maintaining HIPAA compliance is an exercise in diligence and a commitment to ongoing education. Implementing an appropriate level of preparation now can save you costly fines, damage to your company’s reputation and possible legal action later on. Developing and following an established set of procedures, based on HIPAA mandates will minimize your risk of being found noncompliant.
Never Worry about Falling Out of Compliance with LightEdge
LightEdge has HIPAA secure data center locations at our Des Moines, Kansas City, Omaha, Austin, and Raleigh data center facilities. With LightEdge, you can achieve auditable HIPAA compliance. With a specific background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.
LightEdge offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our customers. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. LightEdge is compliant with:
If you are interested in getting a risk free assessment from our healthcare compliance experts, a tour of any of our HIPAA compliant data centers or to learn more about LightEdge’s compliance offers, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.
If you want to learn more about HIPAA compliance download our two e-books, Patient Privacy and Data Security: Utilizing IT Vendors to Meet HIPAA Compliance and Avoid, and How to Deploy a Secure Compliant Cloud for Healthcare.
Related Posts
- 4 Colocation Myths The Healthcare Industry Should Leave Behind
- Key Takeaways: Security And Privacy Concerns For Healthcare Data
- Steps To Strengthen Compliance And Security For Mid- To Enterprise-Level Businesses
- What All Healthcare Companies Need To Know About HIPAA Compliance
- Control the Risks of IoT and BYOD in Healthcare: Part I
- Control the Risks of IoT and BYOD in Healthcare: Part II
- How to Ensure Compliance in the Cloud Infographic
- HIPAA in the Cloud Infographic
- HIPAA Guidelines: Maintaining Security and Compliance in the Cloud