The steep price of fines, lawsuits, breaches and settlements makes the cost of proactive compliance look like a bargain. However, a comprehensive HIPAA compliance program doesn’t materialize overnight. It requires funding, planning, implementation and ongoing administration. An organization’s current level of compliance determines the time and monetary costs of becoming HIPAA compliant. Covered entities (CEs) that have a poor HIPAA compliance program or lack one altogether should get started right away with the following steps.
Designate a HIPAA privacy and security officer. This individual should be responsible for developing and implementing the HIPAA compliance program. The security officer, or officers in some larger organizations, should receive privacy or security officer training and should have the authority to act and the resources to follow through.
Develop and implement HIPAA policies and procedures. The policies and procedures should spell out the organization’s expectations for its workforce. Whether it is how to respond to patient requests to amend their medical records, how to handle a potential breach or how to safeguard their unique user ID and passwords, staff members should receive clear and accessible guidance. The policies and procedures also should be strongly implemented; in the eyes of government auditors, the only thing worse than not having a policy is having a policy and not following it.
Provide HIPAA training to all staff members. A primary responsibility of a security officer is to ensure the workforce is trained on HIPAA. The entire workforce should receive generalized HIPAA training, and specific departments should receive directed training on specific policies. For example, the department charged with release of information and disclosure should be well versed on the specific policies and procedures pertaining to these activities.
Complete a gap analysis and security risk analysis (SRA) to determine the current state of HIPAA compliance. A gap analysis can be conducted using the OCR Audit Protocol available from HHS.a The security officer should conduct an SRA to identify what protections an organization already has in place to safeguard protected health information (PHI), identify threats and risks to PHI and develop a plan to mitigate the risks. The officer can use the free SRA tool from the Office of the National Coordinator for Health Information Technology.b
Have business associate agreements (BAAs) in place with all contractors or vendors that create, maintain, receive or transmit electronic PHI on the CE’s behalf. Business associates typically include cloud service providers and billing, transcription and shredding companies. A BAA must be in place before an organization discloses PHI to any business associate.
See related article: How to avoid the devastating consequences of HIPAA noncompliance
a. OCR, “Audit Protocol,” HHS.gov., content last reviewed Aug. 17, 2018.
b. ONC, “Security Risk Assessment Tool,” HealthIT.gov.