HIPAA compliance requires a solid set of procedures and steady operations. Here are some best practices for developing HIPAA compliance procedures that work.
Healthcare providers and business associates must adhere to a variety of HIPAA regulations and requirements. Effective governance means creating effective operational policies and procedures that streamline the organization’s ability to adhere to those regulations and requirements.
Not doing this can result in hefty fines; HIPAA fined 10 companies $28.7 million in 2018, marking a significant 22 percent jump in HIPAA fines over 2016. To alleviate concerns of getting fined (or suffering reputational damage), companies should focus on the following considerations and best practices that can make HIPAA compliance procedures more simple.
1. Know the basics
Organizations can get a hold of “The Seven Fundamental Elements of an Effective Compliance Program,” which is a compliance and training guide that outlines the seven guiding principles that should act as the foundation for all HIPAA compliance efforts. The guide was released by the Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) and these are also the criteria that would be used by an auditor during an investigation.
2. Protect all ePHI
All electronic patient health information (ePHI) needs to be protected. In cases where an organization may not know where all ePHI is located in the environment, the organizations should assume that all systems contain ePHI and that they must be adequately protected. In short: better safe than sorry.
If an organization is unsure, it should assume that all systems in the environment are in scope for HIPAA. Best practice would be to segment out any systems that receive, transmit or store ePHI to limit the scope; however, a HIPAA-compliant risk analysis/risk management program should cover all potential places that could touch ePHI.
3. Implement an incident response plan
Breaches happen and all organizations should anticipate a breach at some point. The best path forward is to have an incident response plan that can help mitigate the aftermath of a breach and minimize potential impact. A risk analysis can help to identify all potential risks and vulnerabilities, but it’s also imperative to be able to respond quickly to reduce any negative impacts for customers. Proper notification of customers and those impacted should also be included in this type of plan.
On a related note, healthcare organizations can keep a close watch on other breaches that occur within the industry to note common patterns. From there, the IT environment can be crawled and monitored to see if any similar vulnerabilities exist.
4. Work with a trusted partner
Those that partner with a cloud services provider or the managed hosting provider should ensure that they choose wisely. Most of these providers operate under a shared responsibility model, splitting the responsibility for different aspects of security and compliance with the user. Some providers offer special features, services, and tools that streamline HIPAA compliance, but organizations should note that partnering with this type of organization alone is not proof of compliance.
The standards must still be adhered to, which requires the enforcement of a variety of rules and requirements. Compliance is not a feature of your managed hosting provider but may be the result of partnering with a solid one.