The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to ensure that healthcare facilities and insurance companies take steps to protect their patients’ sensitive data. As technology has progressed, so have the official HIPAA requirements. Now, all business associates, from mobile app developers to cloud hosting companies, must also follow the strict guidelines outlined by HIPAA. Read on to find out how covered entities can ensure compliance and avoid potential civil or criminal penalties.
Table of Contents
1. Secure Relationships with Compliant Associates
The Privacy Rule of HIPAA requires that covered entities, such as healthcare facilities, obtain guarantees that all their business associates are also complying with all the provisions set forth in HIPAA. Get assurances in writing before working with new vendors or technology companies. Facility managers can learn about HIPAA faxing and other compliant communication methods online to make sure they’re working with the right business associates to transmit sensitive patient data.
Healthcare facilities that fail to confirm the compliance of their business associates may be held responsible for some degree of the damage done by data breaches that occur as a result of their negligence. They can be subject to fines or even criminal penalties. Even in the absence of these legal consequences, the facility’s reputation could be damaged by a business associate’s non-compliance, especially if it results in a data breach. Don’t underestimate the importance of vetting vendors carefully.
2. Perform Self-Audits
HIPAA requires all covered entities and their business associates to complete self-audits to identify potential issues that could violate compliance protocols. During these audits, the security officer or staff should address technological, administrative, and physical safeguards put in place to protect patient data. The best way to make sure nothing gets overlooked is to follow the official HIPAA compliance checklist. If there are any potential weaknesses that come up during this audit, the company is responsible for addressing them as quickly as possible to get back into compliance.
While HIPAA stipulates that all covered entities and business associates must perform internal audits, it does not outline a particular timeline. Most organizations start with quarterly checks, then make changes to the self-audit timeline depending on the results of the audit and the subsequent changes to relevant policies and procedures. HIPAA regulators also conduct random external audits and can fine organizations found to be non-compliant, so don’t underestimate the importance of keeping everything up to date and above board.
3. Keep Up with Employee Training Protocols
HIPAA specifically mandates that employees of covered entities and their business associates must be provided with training to ensure that they understand the importance of HIPAA-related security protocols. The training sessions shouldn’t be a one-off event, though. Implement a protocol for ensuring ongoing employee education, and keep up with it by offering refresher courses on data security and HIPAA compliance.
As with internal audits, HIPAA does not specifically outline how often employee training sessions need to take place. However, both its Privacy Rule and Security Rule can be referred to for helpful suggestions.
The Privacy Rule indicates that training must be offered to every new employee who joins the facility’s team “within a reasonable period,” and again whenever policy or procedural changes affect material changes in data security. Keep in mind that all employees play different roles and interact with patient data in different ways. A training session designed for medical personnel won’t necessarily be the same as one designed for the facility’s IT staff.
4. Don’t Let Security Roles Go Unfilled
It’s important for healthcare facilities to have security officers and other staff members capable of ensuring HIPAA compliance and executing relevant training sessions, policies, and procedures. Most hospitals hire dedicated HIPAA security officers whose exclusive focus is on compliance. They establish, manage, and enforce safeguards in accordance with the Security Rule and address issues regarding access control. HIPAA security officers are typically tasked with performing routine risk assessments and internal audits, investigating breaches, and implementing containment strategies, as well.
Given how many roles a HIPAA security officer must fulfill in the course of performing his or her essential work, it should come as no surprise that burnout is not uncommon. If the security officer quits, don’t leave the position open. Find a new HIPAA security officer with relevant training and credentials as soon as possible to avoid winding up with a heap of compliance issues to deal with once the position is filled.
5. Don’t Ignore Breach Notification Requirements
There are very specific protocols for dealing with data breaches. The Breach Notification Rule lays out all the information security officers need to determine how to provide notification following a data security breach, which can apply to any impermissible disclosure of a patient’s protected health information.
Following a breach, the facility is obligated to notify all affected individuals. In some cases, the secretary of breaches of unsecured protected health information and even the media may also need to be notified. If the breach affected more than 500 residents of a particular state, covered entities must notify the media by issuing a press release in addition to sending individual notices to all of the patients whose data was impacted. Both the press release and the individual notices must be provided within 60 days of the breach’s discovery.
No healthcare facility wants to be placed in a position where they are forced to disclose a data breach. However, it’s important for organizations to be prepared. Develop a cyber incident response plan that establishes and refines notification policies and procedures. Breach notification is best when considered as an integral part of a more general emergency preparedness plan.
The Bottom Line
HIPAA regulations were put in place for a reason. They’re designed to protect patients by ensuring that their healthcare and insurance providers and all of these institutions’ business associates are taking the steps necessary to protect sensitive data and patient confidentiality. All covered entities should take HIPAA regulations seriously and ensure they are performing their due diligence in regard to ongoing compliance. Working with business associates who take HIPAA equally seriously is a very important part of ensuring compliance.