3 minute read
HIPAA Compliance Follow-Up: Keep Your Practice on the Right Side of Compliance
Is your practice compliant? Check out the following guidelines and tips for keeping your organization on track and out of legal hot water.
There are Six Annual Assessments of HIPAA Compliance – Keep records and document deficiencies of the following: 1.
Advertisement
Security Risk Assessment
2.
3.
4.
5. Privacy Assessment HITECH Subtitle D Audit
Security Standards Audit Asset and Device Audit
Create Remediation Plans to Address Deficiencies
Fully document plans in writing Update and review plans annually Tip: Retain records for six years
Annual HIPAA Training is Required by All Staff
• Keep documentation of completed training
Tip: Designate a staff member to act as HIPAA Compliance officer
Security Awareness Training for All Staff
Keep documentation of completed training Tip: Provide periodic reminders to reinforce security awareness training
Develop a Contingency Plan for Emergencies
Have policies and procedures in place for emergency response Create back-ups of all ePHI to ensure exact copies can be recovered
Develop procedures to ensure critical business processes continue during emergencies Tip: Regularly update and test contingency plan
Perform Risk Analysis, Assess Whether ePHI Encryption is Appropriate
If it is not appropriate, create and implement alternative Implement controls to guard against unauthorized access of ePHI
Tip: Document decision-making process covering the use of encryption
Implement Identity Management and Access Controls
Assign unique usernames to all individuals with access to ePHI
Implement policies to determine an employee’s need for access Develop policies for terminating access to ePHI
Create a system that logs out user after inactivity Tip: Only allow for employees that require access for work duties
Create and Monitor ePHI Access Logs
Create auditable ePHI access logs for all login attempts Routinely monitor unauthorized access attempts Use controls to ensure ePHI cannot be altered or destroyed by users Tip: Limit uses and disclosures to the minimum necessary information
Develop Policies to Securely Dispose of Protected Health Information
Implement procedure of rendering ePHI unreadable and incapable of being reconstructed Develop policy to permanently erase ePHI on electronic devices
Tip: Be sure to store any devices containing ePHI until they can be disposed of properly
Implement Policies for Providing Patients with Access to Health Information
Be able to provide copies of health information on request Provide copies of PHI in the format requested Create reasonable fees, if any, that are cost-based
Tip: Provide all health information in a timely manner and within 30 days
Obtain and Store HIPAA Authorizations for Uses and Disclosures of PHI Not Otherwise Permitted by the HIPAA Privacy Rule
Clearly explain specific uses and disclosures of PHI written in plain language State the classes of people to whom PHI will be disclosed
Include individual’s signature and date of signature Tip: Be sure to include an expiry date or event for authorization
Create a Notice of Privacy Practices (NPP)
Provide periodic reminders to reinforce security awareness training Provide notice of privacy to all patients Be sure every patient has signed that they’ve received the privacy notice
Develop procedures for dealing with complaints about failure to comply with NPP
Tip: Publish and display privacy practices in a prominent location and on your website
Create Procedures Relevant to Annual HIPAA Privacy, Security and Breach Notification Rules
Have all staff members read and legally attest to HIPAA policies and procedures Maintain documentation of their legal attestation Tip: Keep documentation of annual reviews of policies and procedures
Identify All Vendors and Business Associates
Maintain Business Associate Agreements (BAAs) with all associates
Assess associates’ HIPAA compliance Create confidentiality agreements with non-business associate vendors
Tip: Track and review all BAAs annually
Create Defined Process for Security Incidents and Data Breaches
• Make sure you have the ability to track and manage any incidents • Be able to provide the required reporting of all breaches and incidents
• Tip: An anonymous method of reporting breaches or violations can increase awareness
