I don’t like this title. It’s too black and white, and HIPAA is neither. HIPAA compliance is a moving target that is very difficult to attain and be confident that you’ve attained. It’s really an ongoing business risk management issue that needs to be continuously reviewed, assessed and adjusted.
Auditors are looking for proof and assurances that those bound by HIPAA are doing everything they can that is reasonably and appropriately feasible to implement within the organization.
Here are some steps you can take to become more compliant. This is not meant to be a complete list of all that is required. This will be identified to you once you complete the first recommendation. Rather, this is a good starting point that covers some major overarching themes to HIPAA compliance.
- Perform a risk analysis. This is not a one-time thing, and by the way, it is now required by law. Risk assessment needs to be continuous. It should become a part of the ongoing operation of the organization and be embedded as part of the corporate culture. A thorough risk analysis will let the organization know where the deficiencies are and provide a good starting point from which to begin addressing them. There are third party companies that perform this service and will hold your hand as you go through the process. It’s worth investing the money and hiring a professional to make sure you are doing it properly and identifying all your areas of exposure. Checklists oftentimes will not hold up under an audit. Once you have a good risk analysis it will drive everything else you do toward getting compliant.
- Get started today. There is no substitute for taking action even if what you can do seems insignificant.
- Document everything. You can never have too much documentation. Document each step and every decision you make. Why you do something, why you don’t do something, when you’re planning on doing something – everything. Auditors want to see that you have a plan in place, the reasoning behind it and what your anticipated timelines are.
- Train your workforce. Your HIPAA compliance is only as good your employees’ understanding. The extent to which they are knowledgeable about what is right and wrong and what is acceptable and what is not will govern your company’s level of compliance with the law.
- Work with a technology partner that takes HIPAA seriously. It is critical that the provider you choose understands the nuances of this complex code and can provide you with assurances (documentation) that they are meeting the required standards to keep both themselves and your company in full compliance.
- Start with ‘low hanging fruit’. Things that are easy to implement, don’t cost much and will create an immediate impact should be your first targets. Examples of this might be: enacting a more complex password policy, making sure that workstations lock after a short period of inactivity and eliminating the use of personal email accounts for any sort of communication that involve PHI (Protected Health Information).
- Identify your Business Associates and get Business Associate Agreements in place. HIPAA law has very specific requirements for the various vendors, data handlers and other parties who come into contact with PHI. Determining who the policy applies to for your company can be tricky, but it’s a crucial part of becoming compliant. Once you have identified all the relevant players, you must establish Business Associate Agreements to ensure that everyone covered by the law is aware of and meeting the law’s requirements.
- Rinse and repeat. Remember, this is an ongoing process. Once you’ve completed all the steps above you can’t check it off your list and be done with it.
It’s a daunting list, to be sure, and it’s not going to go away even after you’ve completed these eight steps. The good news is that complying with HIPAA law becomes easier once you’ve become familiar with the requirements and learned to recognize potential danger areas, along with which new associates are likely to qualify as Business Associates.
Don’t let yourself be intimidated by the difficulty and put your head in the sand; the risks of noncompliance are too great. Face the challenge and do what you can, with expert support when necessary. And if you have questions or need professional guidance, Network 1 is here to help.