Last week we talked about some of the major changes in the HIPAA Omnibus Ruling for Medical Practices and Billing Companies.
This week we are talking about formulating your HIPAA Compliance Plan. Firstly, HIPAA Compliance is key to thwarting cyber attacks, but more importantly, this Plan will tell your employees, Business Associates and patients (and HHS, if they should come calling) how you secure Protected Health Information (PHI). Just as important is effectively communicating the plan to your staff.
So, where do you begin? The purpose of this blog is to highlight what goes into making your plan.
Five Key Steps
Step 1 – Choose a Privacy and Security Officer
We will be talking in later blogs about what to consider when selecting these HIPAA leaders.
For a smaller practice, your Privacy and Security Officer may be the same person. For larger practices, these duties will probably be split between two people. These are the folks who are going to be spearheading your Compliance Plan. If you don’t have someone designated to fill this role, you are not compliant.
Step 2 – Risk Assessment
This step requires you to review your workplace and electronic devices to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the Covered Entity or Business Associate. According to Atlanta healthcare attorney Daniel Brown, “a Risk Assessment extends not only to the accessibility of ePHI -- such as passwords -- but also to threats to your access of ePHI caused by natural risks, such as hurricanes and tornadoes, and even human risks, such as malicious hacking.”
You can perform the Assessment yourself or hire an outside contractor to come in and complete the process for you. If you're thinking about performing the assessment yourself, HHS has developed a Risk Assessment tool to help you get started.
The first option is obviously the cheapest and the second can be costly, or you can use a combination of the two. The key is to be very detailed and identify where all your potential Privacy and Security issues may lie. This will include listing all computing and mobile devices, where paper files are stored, how you will secure your offices when you are closed, etc. This is not a one-time event and will change over time as technology and risks change. You will want to revisit your Risk Assessment anytime you have a Breach, theft, or major change in hardware or software, but at a minimum every 2-3 years.
Step 3 – Privacy and Security Policies and Procedures
After completing your Risk Assessment, it’s time to create your blueprint for achieving HIPAA Compliance. The Compliance Plan should include Policies and Procedures - ensuring the Privacy of Protected Health Information and the Security of such information. The Security Policies and Procedures deal with ePHI (electronic PHI) and how you will protect that information.
Policies and Procedures need to be updated regularly and any changes need to be clearly documented and communicated to your staff. As you saw in the Penalties Section of our last blog, “I didn’t know” isn’t an acceptable defense!
Step 4 – Business Associate Agreements
Most of you use vendors or contractors to help run your practice or business. Under HIPAA, persons or entities outside your workforce who use or have access to your patient’s PHI or ePHI in performing service on your behalf are “Business Associates” and hold special status in the Privacy equation. Some examples of Business Associates include third party billing agents, attorneys, laboratories, cloud storage companies, IT vendors, email encryption companies, web hosts, etc. This list can get pretty long, and should be documented in your Risk Assessment.
Make sure you do an audit of your Business Associates before you accept a signed Agreement from them. We’ve seen a lot of folks sign these Agreements, and have no clue what they’ve agreed to. Auditing means looking at their Compliance Plan. They have to have one, or you can’t do business with them. Your legal counsel should have an Agreement you can use, or you can use a third party Agreement from a HIPAA compliance company.
Step 5 – Training Employees
You’ve got your Risk Assessment, Privacy and Security Policies and Procedures and Business Associate Agreements in hand. You’re all good, right? NO! Employees are many times your weakest link.
You need to annually train your employees on the HIPAA Rule and communicate information about your Privacy and Security Policies and Procedures that you’ve worked so hard to create. What good is all the work you’ve done on a Compliance Plan when no one knows about it, or how to use it? Train employees both on the HIPAA Law and your specific plan. In addition, you must keep records that they have been trained.
Come back next week when we will be talking about Privacy Officers. What does it take to be one? Who is a good candidate in your practice, and what kinds of responsibilities will they have?