The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the intention of protecting patients’ sensitive information, referred to within the document as personally identifying information (PII). This essential piece of legislation applies to all healthcare organizations and any business associates that handle sensitive data as a result of their relationship with the healthcare industry.
As the technology used to transmit and manage PII has changed, so has HIPAA. The most recent major update occurred in 2013. Called the Final Omnibus Rule, the update included key changes to both the Security Rule and the Breach Notification Rule, altering the wording so that both now involve the inclusion of business associates in compliance plans.
As a result of the Final Omnibus Rule, healthcare providers are now responsible for ensuring that PII is protected across the entire information chain, which means carefully vetting everyone from mobile app developers to cloud hosting service providers. Read on to find some helpful tips for how to ensure compliance with HIPAA in its most recent form.
1. Create Effective Relationships with Business Associates
Because all of a healthcare provider’s vendors, service providers, and other business associates must comply with HIPAA regulations, it’s important to develop effective relationships with reputable companies. Start by finding effective ways to transmit information securely online, such as implementing an electronic fax solution. Then, move on to ensure that data storage providers and app developers are compliant.
Don’t just take a company’s word that they follow HIPAA’s rules and regulations. Obtain documentation that demonstrates each business associate’s compliance and obligates the company to follow key training and auditing procedures. The Privacy Rule requires healthcare providers to obtain satisfactory assurances from their business associates in writing in the form of either a contract or another formal agreement between the two entities.
2. Develop and Maintain a Comprehensive Security Policy
Every healthcare organization should have a comprehensive data security policy in place outlining how PII is accessed, stored, and transmitted. The policy should also indicate how internal audits are to be performed and what type of training employees and third-party vendors will receive in HIPAA compliance.
Because HIPAA requirements are complex, many healthcare providers struggle with determining what to include in their data security policies. As a general rule, include any information that relates to PII. The data security policy should be updated as needed and reviewed regularly. As they are updated, the changes should be conveyed clearly to employees and business associates so it’s easy to put them into practice.
3. Have a Dedicated Data Security Officer
Given the complexity of HIPAA’s rules and regulations, it’s unreasonable to expect staff members who have not received specific training in data security to develop, implement, and ensure compliance with the company’s data security policy. Larger healthcare organizations often maintain teams of dedicated data security experts. While this may not be possible for smaller companies, it’s important to have a designated HIPAA Security Officer because it is mandated by the Security Rule.
The HIPAA Security Officer or team should be tasked with:
- Establishing and enforcing safeguards to ensure compliance with the Security Rule.
- Addressing any issues that come up regarding access controls, disaster recovery, business continuity, or incident response.
- Conducting in-house risk assessments and facilitating third-party audits of vendors and business associates.
- Investigating data breaches and implementing measures for future mitigation.
Integrating both HIPAA compliance and IT security into the company’s broader business strategies.
4. Perform Regular Risk Assessments
HIPAA Security Officers are responsible for conducting regular risk assessments and implementing corrective measures, but the organization’s employees and business associates must work with the SO by offering accurate information. Performing and documenting routine risk assessments helps organizations prepare for and respond to requests for random HIPAA audits more effectively.
When an organization is selected for a random audit, the security team should prepare in advance by performing a comprehensive internal audit. The Office of Civil Rights (OCR) offers all of the checklists and risk assessment tools required to do so. Many organizations perform routine internal audits on a quarterly basis to make identifying potential issues easier.
The best place to start is with a review of compliance-related documents and employee training sessions, but don’t just evaluate what the company’s HIPAA policies look like on paper. The Security Officer should also perform walk-throughs in different areas of the healthcare facility to look for visible patient information on computer screens or desks.
5. Establish Explicit Training Protocols
Both a healthcare provider’s staff and its business associates should be required to review the organization’s privacy and data protection policies during HIPAA-related training sessions. Establishing explicit protocols is always important.
Both the Privacy and Security Rules offer suggestions regarding how often these HIPAA training sessions should be required without giving any definitive timeframe. New employees must be provided with training within a “reasonable timeframe,” and additional refresher courses must be implemented when the facility makes functional or material changes to its HIPAA-related policies and procedures.
The training protocols should vary based on the role of the employees. IT training seminars usually include more information regarding how to implement effective safeguards when storing or transmitting digital data, for example, while the sessions designed for medical staff might focus more on personal actions that must be taken to ensure compliance. Remember that protecting PII from in-person threats is just as essential as ensuring adequate data security when patients’ protected information is transmitted in digital form.
Start Making Changes
Healthcare organizations shouldn’t wait until they face a HIPAA audit or, even worse, fines for non-compliance, to start implementing positive changes. Start by hiring a dedicated HIPAA Security Officer with all the training required to craft specific policies, choosing reputable business associates, and implementing safeguards against both data breaches and insider threats. From there, ensuring HIPAA compliance is largely a matter of keeping everything from company policies to data security protocols up-to-date and documenting everything involving the storage or transmission of PII to protect the organization in the event of an audit.