Requirements of HIPAA
Since 1996, The Health Insurance Portability and Accountability Act (HIPAA) has served as a monolith for the political basis of protecting PHI in the United States. Since its inception, many countries and even states within the United States have created their own legislation that models or expounds on the rights and regulations initially presented in HIPAA. While legislation across the words entails a variety of requirements, it raises the question of what it specifically means to be HIPAA compliant? How can you ensure that your business is safe in the event of an audit?
A question that we get asked at Accountable quite often is “Can I get a HIPAA certificate? We need our HIPAA Certificate!” And we hate to break it to you, but the HSS does not formally recognize or endorse any sort of HIPAA certification. They lay the framework for compliance, but it is your job to check all of those boxes. While this may seem like a bit of a headache, it ensures that businesses are continually up-to-date with legislation as well as keeps Covered Entities and Business Associates alike honest. Remember, HIPAA is the legislative framework for outlining and protecting an individual's protected health information (PHI). As a business associate or covered entity it is your responsibility to ensure you are protecting your patient’s rights by at minimum maintaining HIPAA compliance.
All of that being said, HIPAA compliance in many ways may seem like a moving target, complex, and hard to maintain. Below, we will briefly outline each of these boxes that need to be checked in order to be HIPAA compliant.
Selecting a Privacy Officer
First thing on the to-do list is electing an internal privacy officer. This person is essentially responsible for managing and executing the policies and procedures responsible. While parties offer to take over these responsibilities for you, you are still required to have an internal point of contact who is technically in charge of enforcing all HIPAA related policies and procedures.
Related: Five Habits of a Good Privacy Officer
Businesses required to be HIPAA-compliant must have policies in place regarding how your protected health information (PHI) is utilized. HIPAA clearly lays specific privacy policies that usually don’t change all that much from company to company. These policies could cover anything from who has access to this information, to the context with how it is accessed. Privacy policies are intended to be the first line of defense to prevent unnecessary breaches of PHI.
Security Procedures on the other hand are going to be much more company specific and deal with more of the infrastructure and backend of the company. This is dealing with specific, technical and procedural requirements to meet HIPAA guidelines. Strong passwords, encryption, locks on filing cabinets, dual authentication systems are just a few examples of some security measures that can be taken to ensure HIPAA compliance. Think of security procedures as proactive measures taken in order to mitigate data breaches from a user error perspective. These procedures mitigate the opportunity for breaches and ensure the daily business operations are conducted in a way that ensures compliance throughout every day tasks.
Business Associate Agreements in Place
Business Associate Agreements or BAAs are agreements between both covered entities and business associates that acknowledge and affirm that both entities are HIPAA compliant. For quite some time Covered Entities were only required to have these agreements however with the passing of the Omnibus Rule in 2013, Business Associates are now also required to be HIPAA compliant thus making BAAs mandatory ensuring all parties involved are maintaining compliance on their end.
HIPAA requires every employee who may come in contact with PHI to go through a regular HIPAA training. With companies always hiring new employees, it can be hard to keep up with who is trained and who is not. Some companies opt to have a training once a year, but this can create gaps in compliance as certain employees might not be onboarding. It is up to the company to keep track of who is up-to-date on training and who is not. It is also up to the company to have training, so rather than crafting one on their own, many companies opt to take part in training provided by a third party.
Regular Risk Assessment
Risk Assessments are also to be taken at minimum of a yearly basis. Risk Assessments are crucial whenever a company is introducing a major change to the company such as a new product or service offering. While these Risk Assessments can be conducted internally, it is highly recommended that these audits are conducted by a third party. This ensures a fresh set of eyes and maintains and strengthens the entity's ability to have the backing of a third party's professional opinion in the event of an audit. Risk Assessments are a crucial part of maintaining compliance and should be conducted on a regular basis in order to ensure continued compliance in the event of an audit and to mitigate the risk of a breach.
Established Breach Notification Protocol
In the event of a breach of PHI it is important to have a standard operating procedure to ensure that the correct measures are taken. A breach could be as simple as an employee losing their cell phone that has access to PHI. Even if the phone is recovered, the amount of time that the phone could have been accessed could be considered a breach. A centralized breach reporting system is an integral piece of being HIPAA compliant. You could take every precaution and still be a victim of a cyberattack. A breach reporting system creates another level of legal protection to show that steps were taken even in the event of a breach.
As a general rule of thumb, if you are doing something you think might be helpful in making a case toward your HIPAA compliance in the event of an audit, the more documentation the better. Not only is your business constantly growing and changing, but so is what it means to be HIPAA compliant. Anytime a significant change is made to the business, your policies and procedures need to be updated. Anytime a new employee is hired, they need to go through a HIPAA training before they interact with any sort of PHI in order to maintain compliance. HIPAA compliance is a multifaceted issue that can require continued action to maintain compliance. HIPAA is much more than an online training or a 3-ring binder collecting dust in the office. It requires active engagement from all parties involved and continued education and procedure implementation in order to ensure that compliance is maintained.
Sound like a lot to handle on your own, doesn’t it? We agree. Schedule a call with one of our HIPAA Compliance Specialists today and let us show you how we can be a complete administrative solution to all of your HIPAA compliance needs!