The truth is, there is no secret ingredient or roadmap to getting there. Developing an effective HIPAA compliance plan starts with learning the basics and simply following the rules.
Our 5 step plan is a guide to help healthcare organizations avoid uncertainties and ensure patient privacy is at the forefront.
1) Understand HIPAA
Signed into law by Bill Clinton on August 21, 1996, the Health Insurance Portability and Accountability Act was initially implemented to help individuals maintain health coverage after they changed or lost a job. Today, HIPAA is better known for its ability to protect private healthcare data regardless of the format in which it was created, received, maintained or transmitted.
There are 4 rules to be aware of when it comes to HIPAA compliance.
- The Privacy Rule is a national standard that protects the privacy of individuals' medical records and other personal health information. Additionally, this rule gives patients the right to obtain a copy or request changes to their health records.
- The Security Rule was established to protect health information that is held or transferred in an electronic form. Under this rule, covered entities are required to implement appropriate technical and non-technical safeguards to ensure the protection of electronic protected health information (e-PHI). You can find a list of different safeguard options here.
- The Enforcement Rule provides procedures for compliance, investigations, and imposing penalties that violate the HIPAA Privacy Rule and Security Rule. The Office for Civil Rights (OCR) is in charge of enforcing and accessing these potential HIPAA violations.
- The Breach Notification Rule requires covered entities to notify affected individuals and the U.S. Department of Health & Human Services (HHS) when private information is compromised. These notifications must be made within 60 days of a security breach. Introduction of the HITECH Act further strengthened the privacy and security of health information.
2) Evaluate Current Policies
Before implementing a plan, you should review your workplace for potential vulnerabilities and threats to protected health information. The best solution is through a risk assessment. You can do this by hiring an outside contractor or performing the assessment internally. If you choose to perform the assessment yourself, keep in mind of what to look for during your risk analysis. You should be able to identify where health information is being stored, how it is being protected, and the impact a data threat can impose on your organization.
HHS recommends organizations conduct an ongoing risk analysis to monitor new threats that may arise. To help guide you through the assessment process, HHS developed a free security risk assessment tool that you can download here.
3) Implement Security Measures
It is now time to come up with your strategy. If not done already, make sure you designate a Privacy and Security Officer. They will be responsible for carrying out your HIPAA compliance plan and minimizing risks where health information exists.
As mentioned earlier under the Security Rule, you will need to make sure technical, physical and administrative safeguards are in place.
If your data is stored electronically, the technology software being used needs to be secure and encrypted. You should also determine who will have access to this data when information needs to be released or disclosed.
Physical procedures are another line of defense for protecting health information. You should take into account where data is physically being accessed or stored. Will it be accessed at the office, from a member's home or other locations outside of work? Does your organization use paper documents containing patient information such as medical bills or sign-in sheets? Regardless of where it's being obtained, preventative measures need to be implemented within those facilities to avoid unauthorized access, tampering and theft of data.
Your organization must also have appropriate administrative controls in place. These include things like written policies and procedures, employee training, security process and business associate contracts. In addition, establishing a contingency plan for emergency situations is a requirement. For example, when a natural disaster strikes and you experience a power outage, how will you restore or access this lost data? Healthcare organizations should consider all these aspects in order to protect the integrity of health information.
4) Review Your Plan
Once your required safeguards are set up, you will want to test your program to discover any compliance gaps or weak spots. The last thing you want is to be hit with a violation or audit from the Office for Civil Rights.
Last month, the nation's top HIPAA enforcer Roger Severino spoke about enforcement efforts and said there is no slowing down. He also went on to say that just because you're a smaller business, it doesn't mean you will fall out from under OCR's enforcement radar. All entities who hold protected health information need to treat it like gold. Especially when you consider the steep price a HIPAA violation can result in. The maximum penalty one might face is $50,000!
Performing a self-audit is another great way to reduce patient complaints or failed audits. It will help you identify areas that are working or needs improvement. The University of Wisconsin-Milwaukee offers a free, self-audit tool you can use as a helpful resource.
5) Training Your Staff
The final step in our process is the maintenance aspect. A good plan is only as good as the people who know about it. To have an efficient system, your employees need to be trained and educated. Be sure to inform them about patient rights, the protocols you have created, and the basics they need to know about HIPAA. Some states may add to HIPAA and have their own additional laws for protecting patient confidentiality and health records. It would be in your best interest to educate your staff on this as well.
Furthermore, everyone needs to stay cognizant of changes that take place. For example, was their an update made to the HIPAA law? Did your organization recently adopt an electronic system for handling patient information? It is important to communicate with your employees this new information so they can follow the correct procedures.
Although it might seem like a challenge, implementing a HIPAA compliance plan is achievable. Just remember to comply with the law and take things step-by-step. At the end of the day, protecting patient information should be your main goal. How you go about doing that is up to your organization.