5 Of The Easiest Fixes To Be HIPAA Compliant
Becoming HIPAA-compliant is no easy feat. It takes years of work, maintenance, and preparation. While this can be a daunting task, some simple fixes can be made to start you and your practice in the right direction.
1 – Assign a Compliance Officer
The Compliance Officer is a crucial position for ensuring that your practice is maintaining HIPAA compliance. You do not have to hire a new person with years of experience. Your best compliance officer is someone who knows your practice, is already working for you, and understands both the medical and business aspects of the practice. This is often a practice manager, or for smaller practices, it could be a technician or whoever handles billing. Responsibilities of the compliance officer will consist of facilitating annual training, ensuring the updates and acceptance of documentation, getting BAA’s signed, and looking out for the overall wellbeing of the practices HIPAA compliance health.
2 – Store Policies, Procedures, and BAA’s in One Place
At the core of HIPAA compliance lies documentation. When Health and Human Services (HHS) performs an audit, they don’t just look at what you are doing. It’s quite the opposite. HHS wants to see documentation of every policy, procedure, technical requirement, training, vendor activity, technology asset, user access, and many other inventories. The best way to keep track of all this is to have HIPAA-specific policies, procedures, and all of your vendor BAAs in one place so that they can be easily tracked and updated. There are many tools and services out there that can help with this process and provide a level of experience in the composition of these documents that may not be found within the office.
3 – Ensure All Vendors Have Business Associate Agreements (BAAs)
The HIPAA Security Rule requires that each vendor with any level of access to PHI has a Business Associate Agreement. A simple template of the BAA can be found on the HHS website here. Any template needs to be updated to be specific to each vendor and signed by both the covered entity (the practice) and the vendor. What a BAA does is transfer the liability of a vendor-caused breach away from the practice and back onto the vendor. Here is a simple scenario:
A fax company provides a faxing network to several hospitals and private practices. They even provide fax to email services which the physicians love. As it turns out, the vendor did not require that their database administrators use strong passwords and one of their accounts were hacked. A hacking group now has full access to the fax history of all of the fax company’s clients.
Why is this important to your practice? It was the fax company that was breached, not you. Well, the HIPAA Security and Privacy rule both enforce each covered entity, or practice, to be taking all precautions when it comes to their data. This includes requiring the practice to ensure that each of its vendors is also taking the correct HIPAA precautions. This is done via the BAA. By requiring each of your vendors to sign a BAA you are contracting them to protect your data as well. So in this scenario, if the practice did not have a BAA with the fax company, they are also liable for the breach and would also incur fines. This is because the practice did not require their vendor to take the appropriate precautions when handling their data through a BAA. If the practice did have a BAA with the fax company, then they would not be liable for the breach, because the fax company signed a contract stating that they accept the responsibility of protecting the practice’s data.
4 – Require All Employees to Take Annual HIPAA Training
HIPAA requires that each employee working for the covered entity takes annual HIPAA training. HIPAA has two rules that need to be covered in the training, The Privacy Rule and The Security Rule. Practices can perform these trainings internally, hire a consultant or group, or find online trainings. Every training is different and there is no certification to say ‘this course meets HIPAA requirements’. Be careful when selecting the course. Make sure the course covers data privacy, types of data, the different types of disclosures, and general security practices. There are many different trainings out there with different price tags by different companies. Be cautious when selecting the right one for your practice.
5 – Use Common Sense
While common sense is not a requirement to be HIPAA compliant, it sure helps in protecting your data and patients’ privacy. Most breaches and HIPAA violations are a result of making a mistake or simply not thinking something through all the way. There are crazy examples of HIPAA violations that sound ridiculous, but happened! Here are some examples:
- Posting PHI on social media
- Not verifying the patient before giving them information
- Asking yes or no questions when verifying “Does your social end in 1234?”
- Taking images of conditions (skin conditions, lacerations, x-rays” on personal devices and emailing them to their work email.
All of these HAPPENED and could easily have been avoided if only the employees were using some common sense.