What are the steps to a HIPAA compliant program?

​A HIPAA compliance program looks different from one organization to the next, depending on their specific needs. Although varied, each program goes through a similar cycle that I will outline in this week’s blog. Keep in mind, the cycle typically repeats on a yearly schedule as mandated by HIPAA.

​In the compliance process, audits are the most fundamental piece. Often, organizations work with third parties to detail their current policies, procedures, and security measures (physical, network and computer systems). After the audit process is complete, your organization will know where they stand in terms of HIPAA compliance and have a detailed list of deficiencies. 

​Following the audit, a qualified professional who understands the broad spectrum of risks in your industry will provide a risk rating based on the audit results, your goals, and potential threats. Per industry standard, the rating comes in a variation of low, medium, or high. Included in the results are mitigation measures, which will have the highest impact on moving the risk-rating needle to low.

​Sometimes done twice, after the audit and then again after the risk assessment, the remediation phase should eliminate all deficiencies from the HIPAA audit and reduce the overall business risk to a manageable level. The level of acceptable risk differs for each business owner but can be reduced with a tool most medical practices forget about, insurance. By design, insurance is there to help businesses manage risk by offloading the potential cost to another entity. A cyber liability policy can cover all costs of a breach including brand repair, investigations, remediation, and fines. Furthermore, being HIPAA compliant can reduce the insurance premium.

​Although considered part of the remediation step, policies are a unique piece to compliance. Policies should be customized to each business based on its needs, technologies used, and other influential factors. They are the guiding principles for employee behavior and should clearly outline appropriate practices with well-defined consequences for infractions.

​Derived from audits, risk analysis, and policies, training should inform employees about threats to the business and the business procedures. Every year these should reflect any changes to the three influential factors, especially changes in criminal behaviors. Keep in mind that employees are the first line of defense and great training is integral to staying compliant and stopping threats at the gate.

Another often forgotten piece in compliance: business associates (BA) can have a large impact to compliance and security. With the implantation of HITECH, Certified Entities (CE) became responsible for BA’s compliance with HIPAA; requiring a signed agreement and assurances of compliance. A quick look at the Wall of Shame  demonstrates the large impact this change  has had on the landscape, with almost 3 million patients exposed from BA breaches reported in November 2018, opposed to none of these associates being held responsible pre-HITECH, practices cannot ignore their vendors.

Audits, Risk Analysis, Remediation, Policies, Training and BA management represent the major areas of compliance for all HIPAA compliant organizations and Business Associates. Missing any one of these items could leave your organization exposed to an audit or breach.
 
For a complete HIPAA checklist, request one with a valid email address [here]
For other HIPAA blogs, check [here]
 
For FREE educational opportunities and networking stay tuned for news about a new healthcare technology and risk forum in Charleston, SC.