Be HIPAA Compliant Before You Have to Prove It
Imagine representatives from the Office of Civil Rights showing up at your practice unannounced, requesting to review your HIPAA compliance procedures. It can happen if you’re chosen for a random Audit. Other audits give healthcare providers just 10 days to prepare.
Even if you aren’t chosen for a random HIPAA audit, you can still face penalties for noncompliance, stemming from e a patient complaint or breach. So, taking the opportunity to proactively strengthen your privacy and compliance program will help you maintain control of your patient data and avoid headaches that are costly and time-consuming. In other words, the best time to prepare for an audit is before you’re in one.
So, rather than dreading an OCR audit, use the prospect of an audit as the foundation for making the best choices when adopting new tools, technologies, personnel and workflows.
Below are 7 recommendations for staying proactively prepared for an OCR audit, as reported by Shane Whitlatch in Healthcare Analytics News:
1. Monitor PHI to Protect It HIPAA stipulates that covered entities must ensure electronic systems holding ePHI grant access only to those persons who have appropriate rights in order to fulfill their job responsibilities. A best practice is to monitor all systems holding ePHI, in order to detect, investigate, mitigate and remediate inappropriate activity. This can also help organizations identify employees who need training, sanctioning or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.
2. Identify High-Risk Assets Covered entities must enforce policies and procedures that adhere to the Breach Notification Rule. Identify your high-risk assets and ensure that your risk analysis of these assets is current. These should include both technical and non-technical assets that are business-critical.
3. Implement HIPAA Compliance Policies and Procedures Data are highly valuable to the good guys and the bad guys alike — even if the “bad” guys are well-meaning but uninformed employees. Unless there are proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy. Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries and made expectations and standards transparent.
4. Perform a Risk Assessment You are required to conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether you need to report a PHI breach or where the vulnerabilities lie.
5. Train Employees More than half of all healthcare breaches involve insiders. To make sure employees fully understand the policies and regulations of their day-to-day work, training should be treated as an ongoing process. Once you identify employees who need training through your monitoring program, you should clearly communicate expectations about your organization’s policies and procedures and train accordingly through a learning management system program.
6. Maintain Business Associate Agreements Covered entities and vendors are both required to create, receive and transmit PHI in a secure and intended manner. Therefore, it is a critical best practice to enter into business associate agreements (BAAs) with any vendors handling PHI. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.
7. Develop an Incident Response Plan (IRP) An incident response plan (IRP) helps your organization contain security incidents that would otherwise become breaches requiring regulatory involvement. The HIPAA Security Rule requires covered entities to have a plan in place. The HHS provides a free Incident Response Plan template to help organizations handle incidents with more agility.
When you have policies and procedures in place to remain compliant, an OCR audit won’t strike fear into your heart. You’ll be confident knowing you’ve done whatever’s necessary to keep your data secure. That's where HIPAAcraticRx comes in. You don't have to tackle the above steps alone. We can be your wingman! HRx offers scaleable monthly billing, based on practice size. Bring us in to find out how to secure your practice -- and your peace of mind!