Get HIPAA Compliant with Confidence


HIPAA Compliance is complicated enough even if you do speak tech. How can you prioritize all the required tasks and procedures you need to implement to protect electronic data when you have important patients to attend to?  HIPAA privacy rules can be overwhelming and confusing-especially if you don’t have the right IT support to help your organization make sense of it all.


Penalties for HIPAA violations and data breaches are having a devastating impact on the Healthcare Industry – or any other industry for that matter. Now more than ever, healthcare organizations need to become proactive about security standards.  

It’s worth noting that any company that handles protected health information (PHI) requires a series of physical, network, and process security measures to remain HIPAA compliant. Hefty fines are one result of negligence; The health, credibility, and reputation of your business are often compromised as well.  That said, it might be time to rethink the current business IT strategy and dedicate focus on what steps should be taken to avoid violating HIPAA rules and flagging the audit. There’s a lot to unpack, but adopting a solid process that makes sense to your organization is key to compliance.

What is the Purpose of HIPAA?

According to the U.S. Department of Health and Human Services (HHS), the purpose was to improve the efficiency and effectiveness of the healthcare system by adopting national standards for electronic health care transactions, codes, unique health identifiers, and security which protects the privacy of an individual.  Advances in electronic technology meant new cyberthreats jeopardized the privacy of health information. Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to set new standards regarding a patient’s protected health information (PHI).

  • Mandates standards for healthcare information on electronic billing and other processes.
  • Reduces healthcare fraud and abuse.
  • Requires the protection and confidential handling of protected health information.
  • Enables the transfer and continuation of health insurance coverage for millions of Americans and their families when they change or lose jobs.

exclamation_markUnderstanding the purpose of the legislation seems pretty logical. Understanding the expectations and technical complexities often involved with being deemed HIPAA compliant is an entirely different ballgame…


 
 

daily-HIPAA-checklist-report-1

  • Compliance Audits – HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
  • Remediation Plans – Once you’ve identified gaps, you must implement remediation plans to reverse any potential HIPAA violations.
  • Policy & Procedure Training for Employees – To avoid HIPAA violations, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is also required.
  • Documentation – Your practice must document efforts you take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS.
  • Business Associate Management Agreements – Always document all vendors with whom you share PHI and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.

 


Have you conducted the following Audits and Assessments?

  • Security Risk Assessment
  • Privacy Assessment
  • Administrative Assessment

Have you identified all deficiencies discovered during the audits?

  • Have you documented all deficiencies?
  • Have you created remediation plans to address deficiencies for the following?
  • Security Risk Assessment
  • Privacy Assessment
  • Administrative Assessment

Do you have Policies & Procedures in place in regard to the HIPAA Privacy, Security, and Breach Notification Rules?

  • Have all staff members read and attested to the Policies and Procedures?
  • Do you have documentation of their training?
  • Do you have documentation for annual reviews of your Policies and Procedures?

Have all staff members undergone basic HIPAA training?

  • Do you have documentation of their training?
  • Is there a staff member designated as the HIPAA Compliance, Privacy, and/or Security Officer?

Have you identified all Business Associates?

  • Do you have Business Associate Agreements in place with all Business Associates?
  • Have you audited your Business Associates to ensure that they are HIPAA compliant?
  • Do you have reporting to prove due diligence?

Do you have a management process in place in the event of incidents or breaches?

  • Do you have the ability to track and manage the investigations of all incidents?
  • Are you able to demonstrate that you have investigated each incident?
  • Are you able to provide reporting of minor or meaningful breaches or incidents?
  • Do your staff members have the ability to anonymously report an incident?
  • AUDIT TIP: If audited, you must provide all said documentation in an eligible format to auditors.

The HIPAA checklist briefly covers some important factors that influence the outcomes when the government comes knocking with that surprise audit.  It’s critical to understand the implications a violation can have on your practice.  The American Medical Association does a good job of discussing violations and penalties here.

Ask yourself this question: Does your business deal with protected health information (PHI)? If so, they must be HIPAA-compliant. Covered Entities under HIPAA include health care providers, health plans, and healthcare clearinghouses.

What constitutes a business associate?  Good question.

A HIPAA Business Associate* (BA) is an organization with access to Protected Health Information (PHI) such as:

  • IT Service Providers
  • Shredding Companies
  • Documents Storage Companies
  • Attorneys
  • Accountants
  • Collection Agencies
  • EMR companies
  • Data Centers, Online Backup companies, Cloud vendors
  • Insurance Agents
  • Revenue Cycle Management vendors
  • Contract Transcriptionists

A Business Associate agreement should be on file for each business associate. The agreement should:

  • Describe how the business associate will use PHI.
  • Require that they use HIPAA-compliant safeguards to protect sensitive data.
  • Require timely reporting of any data breaches.

     *Legally, every Business Associate and their subcontractors must comply with HIPAA reporting requirements too.

 


 

Patient Data Breaches and HIPAA Penalties

Data protection and compliance initiatives are taking their rightful place on the short list of IT priorities in the medical/healthcare industry. Your practice is at risk of being hit by huge Federal fines unless you are vigilant about establishing an ongoing process that protects the private health information (PHI) of your patients. Can your practice sustain million dollar-plus fines for violations of the HIPAA security rule? Can you survive the public scrutiny or sustain a damaged reputation security breaches can guarantee?

Just recently, a Texas cancer treatment center was fined $4.3 million in civil penalties for violating the privacy rule and security rule regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The unfortunate incident occurred when the house of an employee was broken into, their unencrypted laptop and two unencrypted USB thumb drives stolen, and with it, the unencrypted electronic protected health information (ePHI) of roughly 33,500 people was gone as well.

The HIPAA laws require that you bring in a professional for an annual Risk Analysis to identify issues in your computer network, procedures, and policies that could compromise electronic patient health information (ePHI). Additionally, the law requires you to have a Management Plan and Evidence of Compliance to document the remediation of discovered issues in the event of an audit.

Failure perform this risk analysis or applying the results of the analysis is where organizations are penalized for audit failure and poor security standards. Managing your HIPAA compliance and maintaining levels of security mandated by the federal government is tedious, time-consuming, and best paired with specialized IT support.

 


 

What Can You Do?  Start with a comprehensive assessment. Period.  

hippa-compliance-back-1Computers, devices, and equipment don’t arrive with a HIPAA-compliant seal of approval. The onus of responsibility is on healthcare organizations and their business associates to support their technology with solid policies and carefully managed processes. Without these systems in place, your practice risks breaches and costly violations.

For instance, are you documenting any unsecured systems or encrypting all data?  How strong is your password policy? Do you have a process in place to report and document any and all instances of suspected hacking, phishing, malware, or ransomware attempts?  Do you have ongoing employee education and awareness initiatives?  What system is in place in the event of PHI disclosure by your organization or Business Associates? These are all vital spokes in the wheel of HIPAA compliance and it is an ongoing, long-term commitment that must be prioritized.

Resolving some of the issues may be as simple as training employees to update passwords regularly. Unfortunately, many issues are more complex, such as changing the data backup and recovery program which requires more health information technology expertise.

Get Proactive

Framework’s complementary CareFree™ HIPAA Compliance Assessment is a proprietary tool that combines state-of-the-art technology automation and physical observations of your environment.  The assessment analyzes almost every aspect of your network and operations to measure and report on any potential vulnerabilities or HIPAA security risks. Once completed, we provide a comprehensive report that includes:

  • Risk Analysis
  • Management Plan
  • Evidence of Compliance.

The assessment provides a Risk Score Matrix algorithm that prioritizes the work that should be done based upon potential impact to your practice.  We provide a full set of documentation required under the HIPAA security rule and also offer the ongoing expert IT support that is needed to resolve any HIPAA related IT issues we discover.

Our proprietary data collectors compare multiple data points to uncover hard to detect issues, measure risk based on impact to the network, suggest recommended fixes, and track remediation progress. Additionally, our detailed Risk Scores go far beyond providing you with a single number on a scale. You also get the details behind the score, so you know what issues are generating the greatest risks.

 


 

Helping you achieve your mission is our mission.  

We significantly improves client satisfaction through a proactive, holistic, and transparent process.  Framework’s state-of-the-art technologies and reporting accurately capture and document the overall health of your network in real-time.

The best part? This assessment is complementary!  Why gamble when so much is on the line. Give us a call at 312-265-8733 or stop by our website to learn more about our Healthcare Managed IT Services and get HIPAA compliant for good!