The Health Insurance Portability and Accountability Act was first passed in 1996 and has dramatically modernized the healthcare industry and increased the security of handling Protected Health Information (PHI). While HIPAA has done a lot to keep patients safe, HIPAA compliance is a common headache for both small and large businesses. There are six key components of HIPAA and steps you need to take to become one HIPAA compliant.
What is PHI
Before we get into the specifics of HIPAA, it’s important to define exactly what HIPAA is supposed to protect: Protected Health Information, or PHI. Protected health information is anything that can be used to identify the patient or person in the context of healthcare. This can be anything from name, date of birth, medical diagnosis, images (full face or x-rays) to numbers or account names generated for documentation purposes. Context is critical to protected health information. Someone’s home address, although it should never be given lightly, is not considered a PHI when given to Amazon. However, if the same home address is given to a telemedicine service provider or doctor’s office, it would count as a PHI. If you think you are using or have access to PHI, it is important to understand your role in the data process and how PHI is used and stored in your systems.
Who needs to be compliant?
Originally, only healthcare providers or “Covered Entities” had to be HIPAA-compliant. Covered facilities are those that directly manage health care or related services. With the adoption of the omnibus rule in 2013, however, “Business Associates” must also be HIPAA-compliant. A business partner is anyone who has anything to do with proprietary health information in the course of their work. This can be anyone, from account managers to IT specialists. If you work with a hospital or healthcare system, you will most likely need to be HIPAA compliant.
Why become compliant?
Even if there is a lot at stake in non-compliance and platforms like Responsible To facilitate compliance, some organizations still don’t always take HIPAA compliance as seriously as they should. However, the consequences of non-compliance far outweigh the time and cost of compliance. According to HIPAA, an organization can be fined up to $ 1.5 million for a violation or an audit that reveals non-compliant findings. It is of the utmost importance that your company takes the necessary steps to achieve HIPAA compliance. Now that we have determined that compliance is required, let’s take a look at some practical ways in which this can be achieved.
Assignment of a data protection officer
Let’s start with a simple win for compliance: assigning an officer to oversee a company’s security strategy. According to HIPAA, an organization must have a designated data protection officer who serves as the lead in achieving and maintaining HIPAA compliance. This person also serves as a point of contact in the event of a violation or review by government agencies. While other laws, such as the GDPR, place strict requirements on who can and cannot be the “data protection officer”, a HIPAA data protection officer does not have the same restrictions. However, it is usually helpful to choose someone who has a certain level of legal and technological experience, as well as the authority to put in place the proper security precautions to protect sensitive information. This person can be hired in the HR team, the IT team, or even externally specifically for this purpose. All in all, choosing a data protection officer is an easy win on your journey to compliance.
Develop policies and procedures
Now that you’ve selected a data protection officer, it’s important to outline your company’s policies and procedures. Policies and procedures are the internal documentation made available to employees that outlines the dos and don’ts of day-to-day business. These are important because they are the physical records of how business is done. Policies and procedures should reflect internal practices and, more importantly, your internal practices should be HIPAA compliance.
A Risk assessment should be conducted regularly, usually annually, to ensure that policies and procedures are followed and to ensure that business is conducted in a manner that minimizes unnecessary risk. This can be done internally or externally and must be documented and stored in such a way that a complete record of the risk assessments is available in the event of an audit.
Notification of security breaches is an important step in this process. It refers to the internal notification of relevant members of your team in the event of a violation. This requirement ensures that quick action is taken after a breach or hacking and losses are reduced as quickly as possible. The notification of violations should inform the responsible internal members of the incidents and give them sufficient time to notify all other parties involved as well as the relevant authorities. In addition to being notified of a violation, it is important to have a plan of action in case of a violation.
Agreements for business partners
Another important step in achieving HIPAA conformity is the conclusion of business partner contracts (BAA) with other companies or services you may work with that have access to PHI. This is important for everyone from your accountants to third party service providers. If they have access to PHI, they must sign a business partner agreement stating that they will be HIPAA compliant. These agreements recognize that both parties will maintain HIPAA compliance and have joint liability in the event of a breach or audit. If you work with an organization that is under review for a breach, you are also subject to HIPAA review.
Complete the mandatory HIPAA training
The next key requirement for HIPAA compliance is making sure that every member of your organization who has access to PHI is regular HIPAA training. Many services offer inexpensive training options, but it remains an important way to ensure that every employee has a basic understanding of HIPAA compliance and promotes a compliance culture. Because training is one of the primary ways employees engage with HIPAA, it often overshadows the other equally important steps of compliance. Having a robust HIPAA training process is important, but it’s just one of many requirements for becoming HIPAA compliant.
At first glance, HIPAA compliance can seem daunting, but like everything else, it’s easier to achieve when broken down into actionable steps. All in all, HIPAA compliance is a complex problem that many small businesses have to solve. We hope this article serves as a helpful resource in understanding HIPAA compliance.
The post Getting HIPAA Compliant: Everything You Need to Know appeared first on SecureLink.
*** This is a syndicated blog from SecureLink’s Security Bloggers Network, written by Ethan Hurt. Read the original post at: https://www.securelink.com/blog/becoming-hipaa-compliant-everything-you-need-to-know/