The best time to become HIPAA compliant was 20 years ago (1996). The second best time is now!
What is HIPAA compliance? It’s the best and only government authorized requirement aimed at securing your patients Protected Health Information (PHI). The reason it exists is to ensure the confidentiality, integrity, and availability of patient information – both physical and electronic.
HIPAA compliance does feel like a enormous task – especially at the starting line. Between risk analysis, firewalls, encryption, staff training, and physical security, it can be overwhelming with no light in sight.
HIPAA compliance one step at a time is more effective than one big step to the finish line
HIPAA compliance is never 100% complete. Practice processes are always changing, staff turnover, technology is updated, and poof, the environment is significantly different from the last HIPAA assessment. The point is that HIPAA, like technology is a moving target that rarely stands still.
The Department of Health and Human Services is equal opportunity and expects all Covered Entities and Business Associates to safeguard protected health information (PHI).
Conversely, if you’re making a dedicated effort, they will be more lenient after a violation.
As you’ll see below, documentation and training are the two most critical properties of the HIPAA compliance process.
Documentation helps you understand what has been done or not. It is also your proof in the event of an investigation.
Staff Training is a key element towards creating a culture of compliance and what helps your organization stay compromise-free.
Understanding the HIPAA compliance process
Understanding the HIPAA compliance process enables you to realize it’s intent and how it will help protect your patients PHI. Rather than purchasing “The Binder” and figuring it out that way, here is a list that may help you grasp the necessary steps to compliance.
Click on any process for details
[toggle_content title=”Recognize data flow and create flow chart drawing”]Before you start, recognize where your PHI is located. Some things you should know:
- How data enters and departs your practice
- Where the data is stored throughout your practice
- What third party the data is sent to
By understanding your organization and how it handles data, you can find potential vulnerabilities in your network.
A PHI flow chart is a graphical representation of where PHI comes into your organization, where it’s stored, and where it leaves.
The more places that patient information is accessible, the higher the risk of a data breach. That’s why flow charts are important. You can’t protect your data if you don’t know where it’s entering and leaving your practice.
One of your greatest security risks is your staff if not properly trained. Make a plan for how often you’ll train staff members. With countless policies to learn, once a year may not be enough. Ongoing quarterly is recommended
The best way to evaluate effectiveness of your training is to test your staff. This will help you see how your employees will react in an incident. Here are two common ways you can test employees:
- Have someone come in and try to gain access to PHI. What will your staff do? Do they question or report the person?
- Have your IT support guys send a bogus phishing email. Track the number of opens to see how many fall for it. Or demonstrate how to identity a phishing email with examples and what it looks like.
Use the results of this run-through and make a plan for the future. This will help ascertain where employee training may need improvement. Don’t forget to document everything.
“Locate soft spots in security”]Use the results of tests to see where your organization needs to improve security. Run a thorough vulnerability scan to see where your network security may be lacking. A good vulnerability scan should be cloud based and integrate directly into your results. A remediation (gap) report will identify weaknesses and provide solutions based on the problem.
“Create a risk management plan”
From the Gap Report, create a plan to resolve all underlying issues throughout the network including peripherals. The HIPAA Care system will diagnose problems, prioritize them, and generate instructions for your IT professional.
The best way to avoid “overload” is to prioritize the problems and tackle them one at a time. The HIPAA Care system automatically creates this list for you. Some things to ask yourself are:
- Which vulnerabilities are the highest risk?
- What vulnerabilities will potentially affect you this year?
- Where and what are the highest threats?
Otherwise, print out the list and give it to your IT professional. They should be able to address most if not all issues on the li”Create an incident response plan”
Create and update your incident response plan by using information from your risk analysis and risk management plan. Here are some questions that should be addressed in the plan:
- What security precautions are currently in place?
- What protocol is in place in the event of a data breach?
- Do staff members know their responsibilities before, during and after an incident?
- What if a business associate is involved in the incident?
Include these elements in your plan and make sure employees are properly trained to respond to a data breach.
The best way know how your employees will react in a data breach is to put them to the test. Identify how employees work together and how they resolve issues under pressure.
Document failures and successes during your test, so you can make adjustments to your incident response plan.
“Get your Business Associates on board” If your business associates aren’t secure, you could still be liable in a data breach. Make sure your third party vendors are HIPAA compliant and sign a Business Associate Agreement.
“Update security, privacy and breach notification policies
Most dental practices haven’t updated their organizational policies in years. Policies define what and how your organization protects PHI. Don’t forget to document these policies or risk liability in an investigation. It’s also very important to have these policies documented and in the cloud. The big three that you will want to implement:
- Privacy Policies
- Security Policies
- Breach notification policies
“Evaluate your process”
HIPAA isn’t an annual process but rather an ongoing one. See where you are in the HIPAA process and monitor progress. Set yearly goals and document those plans accordingly.
Remember, HIPAA doesn’t have to be overwhelming; you just need to break it down into bite-sized steps. You can’t become HIPAA compliant in a day, but if you work at it step by step, it eventually gets easier.
Final word
HIPAA compliance is an ongoing process – not a destination. Hardware updates and staff turnover are both examples of change that effects your practice’s environment. As your environment changes so can your standing with compliance.
From sticky notes to file servers, PHI is everywhere. HIPAA regulations are designed to help protect PHI. Besides compliance itself, documentation and staff training are the two most critical points while going through the process.
Taking the first step to HIPAA compliance is always the hardest. Doing nothing prolongs the inevitable and compounds the risk of a data breach. Protecting your patients PHI and practice security is what HIPAA represents. While becoming compliant can be painful, choosing the best system to manage it will save you time, money and your practice. It will also show patients that your practice is fully committed to protecting their PHI.