There are several aspects of HIPAA compliance that elude most businesses. However, failing to address the full HIPAA requirements puts healthcare businesses at risk of breaches and fines. To provide guidance to healthcare organizations, the most common HIPAA compliance issues, and how to address them are discussed.
- Failing to Conduct Security Risk Analysis
- Lack of Adequate Security Controls
- Inadequate Device Security Protections
- Failing to Conduct Vendor Due Diligence
- Outdated HIPAA Policies and Procedures
- Failing to Implement Data Backup and Disaster Recovery
- Lack of Comprehensive Employee Training
HIPAA Compliance Issues: Security Risk Analysis
An important part of HIPAA compliance, and an area in which most audited businesses fail to address, is conducting an enterprise-wide security risk analysis. The purpose of conducting a risk analysis is to identify gaps and vulnerabilities in your organization’s security practices. HIPAA requires you to conduct a risk analysis annually, or whenever there are changes to your business operations.
HIPAA Compliance Issues: Security Controls
Implementing advanced security controls is the best way to prevent unauthorized access to protected health information (PHI). Security controls may include encryption to prevent unauthorized users from accessing data, access controls to designate different levels of access to data based on an employee’s job role, and audit controls to track access to data.
HIPAA Compliance Issues: Device Security Protections
Device security protections have never been more important with the increase in remote workers. Many remote workers use personal devices to conduct business, however, before permitting an employee to do so, it is essential to ensure that their personal devices have adequate security protections in place.
Download our bring your own device policy for guidance on securing employee devices.
HIPAA Compliance Issues: Vendor Due Diligence
Many organizations fail to conduct vendor due diligence when considering new vendors. But, their vulnerabilities are ultimately your vulnerabilities. Additionally, when you fail to vet vendors, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) will hold you liable should your vendor experience a breach. To conduct vendor due diligence, you must send your vendors a risk analysis much like the one you are required to complete. You must also have a signed business associate agreement with your vendor before it is permitted to share PHI with them.
HIPAA Compliance Issues: HIPAA Policies and Procedures
HIPAA policies and procedures are an important aspect of preventing HIPAA compliance issues. Policies and procedures provide your organization and employees with guidelines on the proper uses and disclosures of PHI, how to protect PHI, and how to report a breach should one occur.
HIPAA Compliance Issues: Data Backup and Disaster Recovery
As more and more healthcare organizations fall victim to cyberattacks that maliciously encrypt their data, implementing a data backup and disaster recovery plan is the key to a quick recovery. HIPAA requires you to retain exact copies of PHI in both local and offsite data locations so that in the event of breach or natural disaster, files can be easily accessible.
HIPAA Compliance Issues: Employee Training
Employee training is integral to HIPAA compliance. Employees must be trained annually on HIPAA basics, your organization’s policies and procedures, and cybersecurity best practices.
