Being HIPAA Compliant is a Journey
So, September 23, 2013, the HIPAA Omnibus Final Rule Enforcement Deadline, has come and gone, and you – the HIPAA Security Officer— are sitting back feeling confident that the HIPAA compliant policies, procedures, training,risk analysis, and all the other tasks you scrambled to finish are done. It’s time to sit back and relax. HIPAA is done, right? Wrong, it’s just beginning.
Once your HIPAA compliant foundation is in place, you need to maintain it. It’s not hard, but if you let it go it can become out-of-date quickly. What was a HIPAA compliant environment can quickly slip away. Staying HIPAA compliant takes some work, but it sure beats the pain of dealing with a breach investigation.
Here are a few simple things you can do to maintain a HIPAA compliant environment.
1. HIPAA Compliant Human Resource Department
Make sure HIPAA stays on the radar of your HR staff. Be sure that HIPAA training is on the checklist for all employees. The next time a new employee is hired, ask to see the evidence that the person was trained prior to being given access to patient data. If it was done, document it as part of your internal auditing program to stay HIPAA compliant. If it wasn’t done, make sure the new employee is quickly trained, and work with HR to prevent future issues.
2. HIPAA Compliant Employees
Audit your employees to make sure they are HIPAA compliant. Check work areas to ensure that passwords are not visible. Check their badges; under their mousepads and keyboard; on their wall and on their monitors. Check the documentation for the tasks they perform. Observe them while they do their jobs. Let everyone know you are looking and conduct random HIPAA audits regularly.
3. HIPAA Compliant Risk Analysis
Your HIPAA Risk Analysis is not a document to sit on a shelf forever. Being HIPAA compliant means you will review it at least once a year. Immediately document any significant changes, like moving to a new location, relocating IT equipment to a new data center; or implementing a new EHR system. If nothing changes in a year, just make a note, and sign and date it.
4. HIPAA Compliant Business Associates
A bigger challenge to being HIPAA compliant than your employees are your vendors—your Business Associate. People you have never met can cause a data breach that could cost you millions of dollars. Demand evidence that they are HIPAA compliant, and their subcontractors are HIPAA compliant. Don’t think that because they signed a Business Associate Agreement it automatically means they understand HIPAA and are really complying. Trust but Verify.
5. Scheduling HIPAA Compliant Management
How can you remember everything needed to be HIPAA compliant? Use your computer to schedule reminders to audit HR and your employees. Schedule a date just under a year from now to review your Risk Analysis. Schedule reviews of your Business Associates in your calendar. Start with the ones that are the biggest threat to you staying HIPAA compliant— usually your IT company, cloud software vendor, data center, or online backup company. These providers have access to a huge amounts of patient records that could be breached in seconds. If you believe that they, or their subcontractors are not HIPAA compliant, work with them briefly to ensure their compliance, or replace them. Anything else would be a data breach.
Mike Semel is certified in HIPAA and has been the CIO for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate.) Mike is certified in Business Continuity planning and helped develop the CompTIA Security Trustmark. Semel Consulting offers a managed compliance service called HIPAA SOS, compliance audits, Meaningful Use Security Risk Analysis, and.business continuity planning. Visit www.semelconsulting.com or more information.