HIPAA and how to be HIPAA compliant is a topic that most physicians and their staff hate to discuss. The law can be confusing to understand. But also, with the work load that practices are already under, thinking about what it takes to be HIPAA compliant can truly overload them. HIPAA can also be a very technical subject as it involves data on computers and how it is used and accessed. In this post, we answer, how does a small practice begin to become HIPAA compliant?
HIPAA is concerned with the confidentiality, integrity and the availability of the Protected Health Information. HIPAA is a series of rules to ensure that this is done. The whole purpose of HIPAA is protect patient data so as to provide patient care.
There are three main parts to the HIPAA for data protection.These are:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
Where does a practice start to become HIPAA compliant?
The beginning of becoming HIPAA compliant is the Risk Assessment. This is a process where you define what areas put your PHI at risk of exposure. It is a diagnosis of your practice at the moment the assessment was made. Think of it as a snapshot.
Some of the items that a risk assessment addresses are:
- Where is the PHI?
- How do you handle your paper PHI and your electronic PHI (ePHI)?
- What are the likely and unlikely threats to your PHI? Hackers, insiders, natural disasters, theft, employees accidentally sending a fax to a wrong number?
- How do you address those threats?
- How do you protect the PHI in all the places it resides?
After you have performed, and documented, you risk assessment, you will need to make a plan to re-mediate anything it finds. If you just do the assessment but don’t fix anything, then you are heading into very dangerous waters. This could be considered willful neglect as you knew of the issues but didn’t work to resolve them.
HIPAA defines Willful Neglect as: “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated” 45 CFR 160.401 (Cornell.edu)
After you have finished resolving all of the issues your first risk assessment found, perform another risk assessment. This will provide you with the documentation that you need to show that you resolved those issues. But remember, a risk assessment is just a snapshot for that moment. You may have resolved all of these issues found but the next day an employee may post something in social media that is a breach of a patient’s privacy.
What are the next steps on the road to be HIPAA compliant?
Once you have completed all of the issues found in your risk assessment, begin to build your policies and procedures documentation for your practice. This would include how you handle many different issues such as who has access to what data and when. What are the password policies for your computers? Will you be encrypting the data and if so, what data? How are you backups handled? If they are taken offsite, is it encrypted and who handles taking it offsite? Who is the Privacy Officer of the practice? Who is the Security Officer for the practice? These titles need to be in the actual job description of the person performing these duties. Policies and procedures are important and need to be documented. Are mobile devices taken offsite with ePHI on them such as tablets, phones, and laptops? Could they be stolen?
A process should be created for how you handle the on boarding and termination of employees. This is because when a new employee comes, there is a lot to consider.
- Will they need access to your EHR?
- Will they have an email address?
- Will they access the social media accounts for the practice?
- Will they have their own computer?
- Will they be using their own devices (Bring your own device, BYOD) at your office for work or personal reasons?
- What websites will they be working with that require the practice’s logins?
These are just a small number of items that need to be addressed each time an employee is hired. Because there can be a lot of items to remember, create a checklist of what you do each time you hire a new employee.
When an employee leaves, you need to follow the same process, just in reverse. Take the first checklist and modify it for when an employee leaves. This will help ensure you collected anything that they had access to such as mobile devices, keys, and ID badges. It will also make sure that you disable their access to your systems. A lot of HIPAA violations have occurred when a terminated employee still had access to PHI after they were terminated. Keep these checklists in that employee’s file for your documentation.
Training is the next item to address. Train your staff over and over. In the past, sites would purchase canned HIPAA training courses on CD-ROMs or from online sites. However, these “one and done” won’t fly anymore with HHS OCR. The reason is that the situation is constantly changing. There are always new threats emerging that your staff needs to be trained on. The single biggest IT related threat to your ePHI, other than a rogue insider, is a phishing attack. This is where a malicious email is sent to your staff that contains either an infected attachment or a link to a malicious site. If your employee opens the attachment or clicks on the link, then their computer could become infected. The best defense against this is training. Train them to spot these types of attacks.
Does your staff know to verify a fax number before sending? Do they know how to leave messages properly? These are all items that cab be addressed with training and your policies and procedures.
This is by no means a complete answer. HIPAA involves a lot of work. You can be compliant at this moment and then an attack occurs, an employee faxes PHI to a wrong number, etc and you are no longer HIPAA compliant. This article was designed to give you a path to get started and the types of things you need to address. There is no such thing as a HIPAA checklist that will make you compliant. The reason is that every practice is different and has different setups, threats, and budgets. You could develop your own checklist, but no checklist or “HIPAA is simple” service is going to work. You must put in your due diligence, remain vigilant and train to stay compliant.
HIPAA is like perfection – it’s a road, not a destination.