HIPAA made easy is a topic we have discussed many times before but today we are going to cover it specifically. So often we get requests for the “easiest way” to do HIPAA. This isn’t something to check off a list and have it done. It is something that you do every day as part of your business. The idea that you can make HIPAA easy is similar to saying that doing all of your accounting and taxes for your business is easy. Maybe if there is one person to pay and that is you but handling your finances correctly isn’t something many people find easy.
Yes, the data can be gathered and entered into systems. But, do you know all the forms to complete, documents to save, follow up to do, classifications to determine, etc. It isn’t easy but it is doable. So is HIPAA.
The difference between an OCR audit and an investigation matters in this discussion. Many times we get questions about what are the problems found in an OCR audit. Audits are informative but what most people are really asking is what are problems found in investigations. You are statistically unlikely to be involved in an OCR audit since they have had only a few hundred of those ever done. Thousands of investigations are taking place every year. If HIPAA made easy was the answer they wouldn’t have so many results that require corrective action plan.
Policies and Procedures
The place to start isn’t with a penetration test or getting some templates. It is a policy and procedure on policies and procedures. Documentation management is a key element of a program. If you can’t produce the book of evidence that shows you have done the written policies and procedures, audits, assessments, and reviews then it isn’t a program that can be substantiated. You may need to produce documentation as much as 6 years in the past. Without a plan and a system, it won’t be likely that you will be able to do so. HIPAA made easy does often include a lot of documents but you still have to know how to find them.
Policies and procedures are often the places people start. A set of policy and procedure templates isn’t the easy way out of doing the work. You don’t just fill in a few blanks and have things covered. If you have the policies and procedures in place but you don’t even know what is in them, much less follow them then it won’t fare very well in any kind of evaluation of your program. A few of the privacy issues that people have in their policies and procedures are:
- The Notice of Privacy Practices may not be correctly done or in the right places. The document must be complete and available in your lobby as well as your website.
- Actual procedures on how to address patient requests for medical records. The old rule of just charging whatever the limit is for your state doesn’t apply any longer. See the guidance on what you can charge under the new guidance.
Security Risk Analysis and Assessment p
Ask for the SRA if you are the IT provider
You must train your staff about HIPAA but also security awareness training is a must. It is highly unlikely that you can build a culture of compliance or security or anything with a quick annual
Business Associate Management
Third-party controls are a big issue for all business these days. Yes, they are required to sign a Business Associate Agreement. If you just stop there you are opening yourself up to some big problems that will be completely out of your control. Supply chain management is becoming a required element for making sure you are protected. The updates to the NIST CSF that are coming out this year even add Supply Chain Management elements to that framework.
Security Tools, Controls, Audits, Assessments
HIPAA isn’t just about security tools and controls being in place. How can a firewall make you HIPAA compliant all by itself? HIPAA made easy implies that too many people, though.
Installing the tools alone doesn’t make HIPAA made easy either. You must be reviewing all of these alerts and audits that these tools provide. If you are ignoring them the tools are not helping you secure your business and your valuable information assets like ePHI.
Who is looking at the alerts? Who is doing audits and actually taking actions on the findings?
Security Incident Response Plan
Incident response plans are a required element of HIPAA. You have to have a plan of action when something happens. The better the plan the better you are protected. When a crisis occurs you can’t be effective if you are figuring it out as you go. Everyone needs to know who to turn to for information and what their job is when things are in crisis.
Also, breach notification policies and procedures that are actually steps that you will take when there is a notification required are actually helpful. The ones that simply say the law says we must notify patients so we will do it aren’t anywhere near as helpful as the ones who have a plan for actually doing the work of notification. Until you have done one, you likely won’t respect the difference. But, once you go through this you will definitely understand the difference.
Other Policies and Procedures Often Overlooked
- A Business Continuity Plan which is how you will keep your business running when a crisis hits. The cases like the recent Allscripts cloud outage makes those who are prepared for those kinds of situations obvious.
- A Disaster Recovery Plan isn’t just a backup. How will you recover your entire operation not just getting access to your data? If you have a backup that is perfect but no place to restore it and no office to work in and people out of pocket.
HIPAA Made Easy Must Be Continuous
A continuous loop of activity has to take place or you don’t have a program. This isn’t a once a year activity anymore. It is a part of running your business on a day-to-day basis.
As many people that talk about and ask about HIPAA made easy you would think this would have occurred to them. If you believe this list sounds easy then good for you. But, to us, this list is not one that is easy but it is doable when you build a plan.