Transcript
In this video, we will discuss what is required for HIPAA compliance
- Now that you have a sense for the foundations of HIPAA, we’ll take a dive into what’s necessary for your practice to effectively comply with the law.
Audits:
- The first step in any effective compliance program is to execute a series of audits.
- These audits will give you a baseline of where your practice stands against HIPAA law.
- HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
- Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.
STEP 2: Remediation Plans
- Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations.
- These remediation plans must be fully documented and include calendar dates by which gaps will be remediated.
STEP 3: Policies and procedures
- Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules.
- These policies and procedures must be regularly updated to account for changes to the organization.
- Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
STEP 4: Documentation
- HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS to pass strict HIPAA audits.
STEP 5: Business Associate Management
- Covered entities and business associates must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements.
- Business associate agreements must be signed before PHI is shared.
- This ensures PHI is handled securely and mitigates liability.
STEP 6: Incident Management
- If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule.
This concludes our HIPAA 101 Training. Please test your knowledge by taking our quiz!