Behind the scenes of a scaling business: Five steps to better HIPAA compliance

Editor’s note: This commentary — the first in a four-part series — is sponsored and produced by LightEdge, a leading provider of enterprise-grade data center solutions — rooted in colocation and private cloud, and wrapped in security and compliance. The company delivers always-on internet with highly interconnected data centers, unmatched Compliance as a Service, and the balance of control and visibility to keep clients’ internal teams focused on strategic initiatives. The opinions expressed in this commentary are the author’s alone.

[divide]

Healthcare organizations and their business associates are required to operate in compliance with HIPAA privacy regulations or face civil and criminal penalties. The Health Insurance Portability and Accountability Act (HIPAA) was originally enacted in 1996, but was amended several times due to the changing industry landscape. 

Are you confident everyone in your organization is HIPAA-compliant? Follow these steps to ensure compliance and mitigate your risk of a devastating breach.

Develop continuing trainings

Implement a comprehensive security policy to provide a foundation for quality patient care and operational success. These policies should be crystal clear guides for daily activity and error reduction.

HIPAA training shouldn’t be a one-and-done session. Employees should regularly receive appropriate HIPAA training to keep everyone up to speed. All third-party vendors should also complete the trainings. Best practice is to break up the training into digestible sections to avoid overwhelming employees. Employees should sign off on policies at the end of each training session. 

It can be difficult to know exactly what to document. A good rule of thumb is to cover anything that relates to protected health information (PHI). Review privacy policies regularly and communicate any changes to employees. There is no excuse for uninformed employees, and, “I didn’t know,” will not get you off the hook should issues arise. 

Hire dedicated security staff

Some healthcare organizations hire a dedicated HIPAA Security Officer. Some responsibilities of a dedicated security staff member could include:

• Establishing and enforcing the Security Rule safeguards and any rules issued by the Office of Civil Rights (OCR)
• Addressing issues related to access controls and incident response
• Conducting risk assessments and aiding in third-party audits
• Investigating data breaches and implementing measure for future containment
• Integrating IT security and HIPAA compliance with the organization’s business strategies

Many policies affect the operation of the IT department, so it is important a HIPAA Security Officer understands the Covered Entity´s computer systems. Because the responsibilities are so varied, find a candidate in a position of authority with strong organizational skills, and a thorough understanding of HIPAA and other compliance regulations.

Complete internal audits

Internal audits are good practice to catch issues before they could result in fines, shutdowns, or terminations. Test procedures regularly so you’re prepared when you’re selected for a random HIPAA audit. 

The Office of Civil Rights has several checklists and risk assessment tools to get you started. 

Do a walk-through and look for things like visible Protected Health Information (PHI) at workstations. Make sure passwords are strong and updated at least every 90 days. Keep in mind that both electronic data and physical information can cause issues and be sure to diligently audit both. This includes keeping an eye on PHI in emails. 

Quarterly internal checks are a good place to begin. Document the results of your internal audits and necessary changes to your policies. Develop and execute a plan to review and update your policies and procedures based on your internal audit results.

Understand breach notification requirements

Data breaches require extremely specific protocol. Take the time to read the Breach Notification Rule to understand what constitutes a breach, what steps you can take to avoid one, and what documentation you need to prove the limited impact of a breach in order to avoid unnecessary business impact.

Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. Additionally, business associates must notify covered entities if a breach occurs. Organizations should also consider implementing a cyber incident response plan that includes breach notification as part of a broader disaster recovery program.

Secure relationships with business associates 

All of your vendors and business associates must be HIPAA-compliant. Take action to ensure business associates are HIPAA compliant and follow proper procedures. Require them to complete training and auditing procedures.

The Privacy Rule requires that a covered entity obtain satisfactory assurances that its business associates will appropriately safeguard PHI received or created on behalf of the covered entity. The assurances must be in writing in the form of a contract or other agreement between the covered entity and the business associate. Developing and following an established set of procedures, based on HIPAA mandates will minimize your risk of being found noncompliant.

[divide]

This commentary is sponsored and produced by LightEdge.

LightEdge specializes in HIPAA-secure data center facilities. With a deep expertise in empowering healthcare organizations, its data centers, hosting solutions, and compliance-as-a-service offerings provide customers with the confidence and guidance to meet HIPAA requirements seamlessly.