The Healthcare Insurance Portability and Accountability Act (HIPAA) created standards to protect sensitive patient information and took on more importance as the digitalization of patient health records became widespread. The steep price of noncompliance with HIPAA makes compliance very compelling.
A HIPAA compliance plan doesn’t come together overnight. It requires resources, strategy, and continuous maintenance. We’ve outlined 5 steps to get you on the road to HIPAA compliance.
- Designate an individual (or a team) as the HIPAA overseer. The responsible party should have the authority and funding to follow through with the program.
- Develop and implement HIPAA policies and procedures. The policies and procedures should spell out the organization’s expectations for its workforce. HIPAA implementation consists of five main categories:
- Privacy rules regulate how protected patient information can be used and shared.
- Security rules enforce physical, technical, and administrative safeguards to ensure the protection of a covered entity.
- Enforcement rules provide instruction for regulating liability and determining fines for non-compliance.
- Breach notification rules issue guidelines for reporting breaches to patients who have been affected, disclosures to the Department of Health and Human Services, and the media.
- Omnibus rules outline how business associates and vendors should handle the PHI of a healthcare entity.
- Provide HIPAA training to all staff members. A primary obligation of the responsible security officer is to ensure the entire medical and office personnel is trained on basic HIPAA requirements. Specific departments should receive more detailed training on policies relevant to their workloads.
- Complete a security risk analysis (SRA) to determine the present state of HIPAA compliance. There is a free SRA tool available from the Office of the National Coordinator for Health Information Technology.
- Sign a contract agreement, otherwise known as a BAA (business associated agreement) with all contractors or vendors that maintain, access, receive or transmit electronic PHI. These parties include cloud service providers, as well as accounting and transcription service companies. HIPAA’s omnibus rules require having a BAA in place with each partner to maintain PHI security and overall HIPAA compliance.
Read more about HIPAA here.
Please login or Register to submit your answer