Almost every day new HIPAA breaches are reported to the Office for Civil Rights (OCR). Whether it’s hacking, phishing, ransomware or good old-fashioned theft, breaches can happen to any office – any day of the week. So, what can you do to help protect your business?
The HIPAA security rule outlines specific requirements that are not only required but help to lower your risk of a breach. Below we will review four essential implementations of HIPAA security that should be part of your overall HIPAA compliance program.
First, let’s focus on HIPAA risk analysis. The HIPAA security rule states that covered entities must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity.” The risk analysis is the foundation of the entire HIPAA program, without knowing what gaps exist in your program, how do know what needs to be fixed? Additionally, during a HIPAA breach investigation, OCR will almost certainly request a copy of your most recent risk analysis. In a recent press release announcing a resolution agreement, OCR Director Roger Severino stated: “the failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.” When was the last time you conducted a proper HIPAA risk analysis?
Second, HIPAA security policies must be tailored to the office procedures and should be reviewed annually. If you purchased a HIPAA manual or binder, and simply added your practice name and address to the documents, your policies may not accurately reflect the procedures followed in your office. For example; a generic HIPAA policy might state that no USB drives are utilized for storing protected patient information when in reality, your employees use USB drives to transport patient records from one practice location to another. If one of those USB drives is lost or stolen, that is almost certainly a breach. When you go to report that breach, you will likely be asked to provide your policy for Device and Media Controls, if your generic policy states you don’t use USB drives, you could be found to be in violation of your own policies. Are your policies generic from a binder or do they accurately reflect the procedures in your office?
Next, HIPAA security requires covered entities to “implement a security awareness and training program for all workforce members.” Your employees must be trained on your office HIPAA security policies and should be trained annually. Most likely, this training will require more than a generic HIPAA training session at an annual meeting. If your employees are not trained on your office policies, how can you enforce sanctions against employees who violate those policies? Training helps to create a culture of compliance in your office. Additionally, in the event of a HIPAA breach, you could be asked to provide training records and training materials as far back as six years. Have all employees been trained on your specific HIPAA policies?
Lastly, let’s talk about HIPAA risk management, the HIPAA security rule requires covered entities to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [general security standard requirements].” The focus here is mitigating and monitoring for threats throughout the year. Documentation created by continually assessing for risk and showing completion of HIPAA tasks, like periodically verifying there are no passwords taped under keyboards, will help to demonstrate your compliance in the event of a data breach. Do you have an ongoing risk management plan?
HIPAA can be tedious and overwhelming, but it does serve a very important purpose – to aid in the protection of your patient’s most sensitive personal information. Your patients have placed their trust in you, so be sure you are doing all you can to keep their information protected.
For a self-assessment, download our HIPAA Security Checklist.
Katie Lay, CEO, CAEK, Inc.
Katie Lay has over 12 years of experience in healthcare corporate relations and sales and compliance educatio;, including providing educational series for leading insurance brokerage firms, state dental associations and fortune 500 healthcare distribution companies. Prior to CAEK, Katie held management positions in dental administration, electronic health record systems, and hospital public relations. Katie is responsible for the day to day direction of CAEK and cultivating partner relationships.