by Jay Hodes, President - Colington Consulting
I always make it a point to educate healthcare providers (Covered Entities) and those designated as Business Associates who are trying to understand the complexities of HIPAA compliance. No matter what your involvement with HIPAA regulatory requirements is, it can be a nightmare for some to figure out exactly what it is the government wants you to have in place as far as the proper safeguards to protect health information.
Although there is a lot to cover when it comes to HIPAA compliance, here are five tips to consider:
- Provide Education, Security Awareness and Training – In order for your workforce to understand how to follow HIPAA compliance requirements, they must be educated and trained on all the requirements. It is good to cover privacy and security safeguards and imperative to conduct HIPAA Security Awareness Training, which is an annual regulatory requirement. Some type of training program must be in place, along with records that confirm who took the training and the date.
- Have a Strong HIPAA Sanction Policy - Think of it as the office disciplinary policy. Appropriate sanctions must be in place so that the entire workforce understands the consequences of failing to comply with HIPAA privacy and security policies and procedures in order to prevent a breach of patient records from occurring. Having a Sanction Policy is a requirement of the HIPAA Security Rule.
- Conduct an Internal Compliance Review – An internal compliance review ensures that all HIPAA related policies, procedures and guidelines are adequate and in place. The review can also determine any inadequacies to be addressed. Use a comprehensive checklist to complete the review. But remember, a checklist does not replace the requirement to conduct a HIPAA Risk Assessment, which must be done on an annual basis.
- See What Others Have Done Wrong and Learn from the Their Mistakes - If you have never checked out the HHS Breach Notification Portal, then do so. You will probably be amazed by the number of reported breaches. Even if a breach was unintentional, there should have been proper safeguards in place that may have prevented the breach. Unencrypted lost or stolen laptops and other portable media devices, like USB thumb drives, lead the list of how protected health information can be compromised.
- Prepare for an Audit – If your organization or business prepares as if any day now a letter is going to arrive from HHS indicating you have been identified for an audit, then it should be easier to have required compliance requirements in place and tamp down any concerns. I can tell you from experience, if you do not have all the HIPAA requirements in place, there is no way an organization can be prepared for audit in a short amount of time. HHS will look for specific dates for items, such as when an access audit was conducted and when a HIPAA Risk Assessment was conducted, as well as entry dates on a maintenance record log.
Pre-audit notifications are underway by HHS. Now is the time to prepare. If you are a Covered Entity or Business Associate you are mandated by Federal law to meet all the requirements of the HIPAA Security and Privacy Rules.