20 Steps to Become HIPAA Compliant
Many organizations struggle to figure out what is required of them to become HIPAA compliant. The following list identifies 20 steps organizations can take to become HIPAA compliant in 2020:
- Conduct self-audits
- Identify gaps in administrative, technical, and physical safeguards
- Create remediation plans to close gaps
- Create policies and procedures for the proper use and disclosure of PHI
- Implement access controls
- Identify systems that “touch” PHI to ensure that they are secure
- Determine what security measures need to be in place for systems that “touch” PHI
- Monitor PHI access with audit logs
- Create a policy for removing devices, with access to PHI, from your physical site
- Define a system for the proper disposal of PHI
- Conduct annual employee HIPAA training
- Conduct cybersecurity training, including how to identify a phishing email
- Send all vendors questionnaires to assess their safeguards
- Execute business associate agreements (BAA) with all vendors
- Execute confidentiality agreements (CAs) with subcontractors
- Create a process for identifying and tracking incidents
- Create a system for employees to anonymously report breaches
- Create a contingency plan for emergencies
- Appoint a Compliance Officer, Security Officer, and Privacy Officer
- Hire an MSSP to deploy security measures (for organizations without an IT department)
Become HIPAA compliant with Compliancy Group’s HIPAA compliance software!
There are six (five for business associates) required self-audits that must be conducted annually. The self-audits measure your current business practices against HIPAA requirements to ensure that you have adequate safeguards securing a patient’s protected health information (PHI).
Identify gaps in administrative, technical, and physical safeguards
Completing self-audits will identify any gaps you may have in your administrative, technical, or physical safeguards. Safeguards are required to be in place to maintain the confidentiality, integrity, and availability of PHI.
Create remediation plans to close gaps
Remediation plans are created to address the gaps identified by self-audits.
Create policies and procedures for the proper use and disclosure of PHI
Under HIPAA, the minimum necessary standard was established. This standard requires PHI to be accessed for a specific purpose, limiting the risk of insider threats to PHI. Staff members should only access the minimum necessary PHI to perform their job functions.
Implement access controls
Access controls limit access to PHI based on an employee’s job role to ensure that the minimum necessary standard is upheld. Each employee receives unique login credentials, enabling administrators to grant access to only the PHI that particular employee needs.
Identify systems that “touch” PHI to ensure that they are secure
To properly secure PHI, it is essential to be aware of where your PHI is stored, and what systems have access to PHI.
Determine what security measures need to be in place for systems that “touch” PHI
At a minimum, systems that create, store, maintain, or transmit PHI should be protected with firewalls, antivirus, and data backup. Although not explicitly mandated by HIPAA, these devices should also be encrypted, or similar “reasonable and appropriate” security measures must be put in place. Encryption masks sensitive data, rendering it unreadable to anyone without a decryption key.
Monitor PHI access with audit logs
Audit logs track access to PHI. All access to PHI is recorded, including who accessed it, what they accessed, and how long they accessed it for. Audit logs are a necessary component of detecting unauthorized access to PHI.
Create a policy for removing devices, with access to PHI, from your physical site
Devices that are removed from your physical site (i.e. laptops, mobile devices, or thumb drives) that have access to PHI should be encrypted to prevent unauthorized access.
Define a system for the proper disposal of PHI
It is not permitted to simply throw out paper records or devices containing PHI. Paper records must be shredded, burned, pulped, or pulverized to ensure that they are unreadable. Devices containing PHI can either be destroyed using a hard drive shredder, or degaussed, which is the process of using powerful magnets to permanently erase data.
Conduct annual employee HIPAA training
All staff members must be trained annually on the HIPAA requirements. Training employees ensures that they are aware of permitted uses and disclosures of PHI.
Conduct cybersecurity training, including how to identify a phishing email
The most common breach that occurs is due to phishing emails. A phishing email is an email sent to an employee by a hacker impersonating a trusted entity. Phishing emails often contain malicious links, that when clicked, allows hackers access to the employee’s computer, and in some circumstances, an organization’s entire network. Conducting periodic cybersecurity training limits the risk that your employees will fall victim to a phishing email.
Send all vendors questionnaires to assess their safeguards
Vendor questionnaires should be sent to all of your business associates to ensure that they are adequately safeguarding the PHI that they can potentially access.
Execute business associate agreements (BAA) with all vendors
A business associate agreement (BAA) is a legal document that dictates what protections your business associate is required to have in place to safeguard PHI. A BAA also determines which party is responsible for reporting a breach should one occur. A BAA limits the liability of both signing parties as it states that each party is responsible for their own HIPAA compliance.
Execute confidentiality agreements (CAs) with subcontractors
Subcontractors (i.e. cleaning crews, plumbers, electricians, etc.) that enter your physical site are required to sign confidentiality agreements. Although they do not “touch” PHI as part of their job, they have the potential to come across PHI while in your office.
Create a process for identifying and tracking incidents
Developing an incident response plan drastically limits the scope and cost of a breach. Additionally, tracking incidents ensures that the problem is addressed in a timely manner.
Create a system for employees to anonymously report breaches
Under HIPAA, employees must have a means to report breaches anonymously. To become HIPAA compliant in 2020, you must have means for employees to do so.
Create a contingency plan for emergencies
In the case of an emergency, such as a natural disaster, it is essential that you have a plan in place so that you may have access to PHI and essential business data. The best way to accomplish this, is to have an offsite data backup center that stores all of your essential data.
Appoint a Compliance Officer, Security Officer, and Privacy Officer
It is not necessary to hire someone specifically for these roles, in fact, these roles can all be filled by the same employee. These officers are responsible for ensuring that your compliance program is implemented, and that the program covers the security and privacy requirements dictated by the HIPAA regulation. However, although not mandated, it is a good idea to appoint a member of your IT staff as your Security Officer. If you do not have an IT staff, you can contract an expert to fill this role.
Hire an MSSP to deploy security measures (for organizations without an IT department)
HIPAA requires organizations to have robst security measures safeguarding your PHI. Although it is possible to implement these measures without an expert, it may be more cost and time effective to hire an MSSP to deploy security measures.
How to Implement the Steps to Become HIPAA Compliant in 2020
Many of the steps to become HIPAA compliant are part of implementing an effective HIPAA compliance program. Although it is possible to implement a HIPAA compliance program on your own, it is best to consult an expert to ensure that you have covered the full regulation. The experts at Compliancy Group provide clients everything they need to implement an effective HIPAA compliance program in accordance with the law.
Not only do we provide you with all of the documentation you need to prove your “good faith” effort towards compliance, we also provide ongoing support. Our expert Compliance CoachesTM guide clients through the entire process of developing and implementing a compliance program. This is done through 30 minute virtual meetings; however, coaches are always available between meetings to answer any questions that may come up. We also provide the required annual HIPAA training for your staff members.
To implement the robust cybersecurity requirements mandated by HIPAA, Compliancy Group works with managed security service partners (MSSPs) that can be contracted to address your security needs. Once you have completed our implementation process, you are eligible to receive our HIPAA Seal of ComplianceTM. The Seal, that is meant to validate and verify that you have everything required to prove your compliance, can be displayed on your website, your email signature, and your organization’s widow. The Seal is a great differentiator as it demonstrates to your patients and clients that they can trust you with their sensitive information.
Compliancy Group also has an Audit Response TeamTM that supports clients that are subject to a HIPAA audit. We provide all of the documentation necessary to prove that you have made your “good faith” effort towards HIPAA compliance. We have a proven track record, as we have never failed an audit on behalf of our clients!