1. Determine which audits you need and how oftenHIPAA requires that covered entities and business associates carry out periodic evaluations of their security measures. Although it doesn’t specify a frequency for these audits, you should have a routine audit carried out at least once per year or after any significant changes to your processes or technology. For example, if you’ve recently installed new servers or incorporated new cloud software into your existing workflows to manage PHI, you need to conduct a comprehensive security audit.
2. Examine your current infrastructure and document any shortcomingsAlmost all HIPAA audits uncover some observations or potential violations, which need to be remediated as soon as possible. The best way to identify any vulnerabilities or violations is to have a professional audit carried out by a HIPAA-compliant third party. They will review your security measures from the outside looking in, which can reveal things you may not have noticed.
3. Document and review your remediation plansYou should maintain a complete audit trail of every change you make to your computing and operational environment, including any remediation steps you take following an audit. If your organization is inspected following a data breach or leak, you’ll need to be able to prove your efforts to stop such events from occurring.
4. Designate your security, privacy, and compliance officersHIPAA also requires that covered entities and business associates have designated privacy and security officers. Many larger companies have, for example, a dedicated chief information security officer. However, this may not be affordable for smaller organizations, in which case you might want to consider outsourcing the role to a managed IT services provider that specializes in serving the healthcare industry.
5. Ensure proper training for all your employeesSecurity awareness training is addressable under HIPAA, which means there’s some flexibility over how and when you implement a training program. However, given that almost every data breach or leak includes a human element, the importance of training your employees cannot be underestimated. Every organization should have documented training schedules to help employees who access PHI better identify threats like malware and social engineering attacks.
6. Perform due diligence when onboarding new suppliersBusiness associates often have business associate agreements with other companies, which can complicate supply chains. But these are unavoidable in many cases, especially when it comes to technological innovation. Every organization should have a clear set of policies to govern the onboarding of new suppliers depending on what sort of systems and data they’re likely to have access to. Companies should perform due diligence and know-your-customer checks before onboarding any new suppliers, particularly if said suppliers are to have access to PHI.
7. Review data breach report and notification processes regularlyIn addition to the security and privacy rules, HIPAA has a breach notification rule advocating for complete transparency in the event of an incident that compromises PHI. They must notify patients if there’s a reasonable chance that their data may have been compromised. Breach notifications also need to state which personal identifiers were exposed and which steps you have taken to remediate against the incident. If you know who the unauthorized party that accessed the information, to whom the disclosure was made, and whether the PHI was viewed or merely acquired, you should also disclose these pieces of information. Online Computers provides expert HIPAA guidance and an all-in-one platform known as The Guard. Download our flyer to find out just how easy it can be to simplify your compliance.
Ensure a productive remote workforce!
Enter your name and email address on the respective fields on the right to receive our FREE guide to ensuring your staff's productivity while working remotely.