HIPAA regulations cover a lot of different topics and it may seem overwhelming at first. In fact, many organizations are so overcome with the massive amounts of information related to HIPAA compliance that they delay getting started, or just pick a few of the more common elements to implement and ignore those that they don’t understand. While doing something is better than nothing, it is important to remember that the regulations exist for a reason. They are not designed to create extra work, but rather to protect patient information.
Five Essential Steps to HIPAA Compliance
More detailed information on the following topics can be found on the HealthIT.gov web site at: https://www.healthit.gov/topic/hipaa-providers, but there are five essential steps to effectively comply with the HIPAA Privacy, Security, and Breach Notification Rules:
- Conduct a Risk Analysis/Assessment
- Develop and Implement Policies and Procedures
- Develop an Incident Response Plan
- Train Employees
All HIPAA Compliance efforts start with a risk analysis. A risk analysis starts with documenting where and how Protected Health Information (PHI), including both physical and electronic (ePHI), is created, transmitted (sent or received), and stored. If you already have written procedures implemented, you can use those as a guideline, but you should also interview those directly involved to make sure the actual process follows what you have documented. For each step of the process, you must carefully consider the environment and what vulnerabilities exist in the process, system, or people involved that could present a threat of an exploit. Then quantify the risk by assigning a probability of it happening and the potential severity. Next, develop a plan to mitigate the risks you have identified in order of most to least critical. You may not be able to fix everything at once, but it is important to address each item as you can. The risks will not lessen just by waiting.
Develop and Implement Policies and Procedures
Policies and Procedures form the core of an effective ongoing HIPAA compliance program. These items will be the foundation upon which the rest of your compliance efforts will be built and ensure that you have standards that can be consistently executed. If you already have written policies and procedures, you’re off to a great start. If not, you should start the documentation process as part of conducting the risk analysis and update them as your needs change and as you remediate risks identified previously.
Develop an Incident Response Plan
Unfortunately, in today’s world it is not a question of if but when you will have a breach. According to a survey conducted by Kaspersky Lab, over half (54%) of all companies experienced at least one cyberattack in the previous 12 months. This just represents external threats. In a study published by Verizon, it was reported that the majority of HIPAA breaches are the result of human error. Fortunately, most incidents involved a relatively small amount of affected records. They aren’t all of the same magnitude as the breaches we read about in the news. However, the effectiveness of an incident response plan is key in preventing a small breach from turning into something much more significant.
Train Employees on HIPAA Requirements
You may have great Policies and Procedures and an effective Incident Response plan, but they are all for naught if the employees don’t know about them. It is critical to train every employee across the organization on their responsibilities and to make sure they know where to find the documentation. The training should be conducted any time a new employee is brought onboard, whenever something changes, and at regular intervals. Periodic training is often overlooked, but very important as not all activities happen on a frequent basis and it is easy to forget something if it’s not part of a regular routine. Short monthly training sessions are recommended, but at a minimum you should conduct refresher training at least annually.
HIPAA compliance is not a one time event. Though the initial efforts to achieve compliance set the stage for success, it is important to re-assess the risks periodically, if there is an incident, and any time there are changes to the environment, both within your organization or as new external threats arise.
Foster a Culture of Security
Though there are specific requirements that must be met for HIPAA compliance, just being able to check off the boxes does not provide the maximum protection against a data breach. It is critical that your organization builds a complete culture around security. This means placing a top priority on security at all levels of the organization and incorporating the principles of security in every day tasks, not just when the risk analysis is pulled out for a periodic review.