Given that it was enshrined in law 24 years ago, HIPAA lacks clarity on precisely which measures you need to take to secure electronic protected health information (ePHI). After all, today’s IT environments look very different to how they did in 1996. HIPAA applies to what it defines as covered entities and business associates. Covered entities are healthcare providers themselves, while business associates are individuals or companies who handle PHI on their behalf, such as clearing houses and technology providers. No matter your role or primary target market, if you handle PHI, you must be HIPAA-compliant. The following tips will help you do just that.
1. Determine which audits you need and how often
HIPAA requires that covered entities and business associates carry out periodic evaluations of their security measures. Although it doesn’t specify a frequency for these audits, you should have a routine audit carried out at least once per year or after any significant changes to your processes or technology. For example, if you’ve recently installed new servers or incorporated new cloud software into your existing workflows to manage PHI, you need to conduct a comprehensive security audit.
2. Examine your current infrastructure and document any shortcomings
Almost all HIPAA audits uncover some observations or potential violations, which need to be remediated as soon as possible. The best way to identify any vulnerabilities or violations is to have a professional audit carried out by a HIPAA-compliant third party. They will review your security measures from the outside looking in, which can reveal things you may not have noticed.
3. Document and review your remediation plans
You should maintain a complete audit trail of every change you make to your computing and operational environment, including any remediation steps you take following an audit. If your organization is inspected following a data breach or leak, you’ll need to be able to prove your efforts to stop such events from occurring.
4. Designate your security, privacy, and compliance officers
HIPAA also requires that covered entities and business associates have designated privacy and security officers. Many larger companies have, for example, a dedicated chief information security officer. However, this may not be affordable for smaller organizations, in which case you might want to consider outsourcing the role to a managed IT services provider that specializes in serving the healthcare industry.
5. Ensure proper training for all your employees
Security awareness training is addressable under HIPAA, which means there’s some flexibility over how and when you implement a training program. However, given that almost every data breach or leak includes a human element, the importance of training your employees cannot be underestimated. Every organization should have documented training schedules to help employees who access PHI better identify threats like malware and social engineering attacks.
6. Perform due diligence when onboarding new suppliers
Business associates often have business associate agreements with other companies, which can complicate supply chains. But these are unavoidable in many cases, especially when it comes to technological innovation. Every organization should have a clear set of policies to govern the onboarding of new suppliers depending on what sort of systems and data they’re likely to have access to. Companies should perform due diligence and know-your-customer checks before onboarding any new suppliers, particularly if said suppliers are to have access to PHI.
7. Review data breach report and notification processes regularly
In addition to the security and privacy rules, HIPAA has a breach notification rule advocating for complete transparency in the event of an incident that compromises PHI. They must notify patients if there’s a reasonable chance that their data may have been compromised. Breach notifications also need to state which personal identifiers were exposed and which steps you have taken to remediate against the incident. If you know who the unauthorized party that accessed the information, to whom the disclosure was made, and whether the PHI was viewed or merely acquired, you should also disclose these pieces of information.
Online Computers provides expert HIPAA guidance and an all-in-one platform known as The Guard. Download our flyer to find out just how easy it can be to simplify your compliance.
Ensure a productive remote workforce!
Enter your name and email address on the respective fields on the right to receive our FREE guide to ensuring your staff's productivity while working remotely.