HIPAA Doesn’t Have Annual Requirements, But Here’s Why You Should

The truth is, there’s nothing in HIPAA law about annual requirements. But reading the law might make you wish there was.

What Does HIPAA Require for Risk Assessments?

HIPAA rules and regulations are a perfect example of a double-edged sword. Compliance is binary, which means it’s an all-or-nothing undertaking. Making matters worse is that the law is intentionally vague to be as widely applicable as possible.

Part of that vagueness comes from the law stating that the HIPAA standard for risk analysis compliance is “ongoing.”

“The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii)).” 

The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process.

Ongoing compliance means you must make any necessary changes to your compliance strategy whenever circumstances change that could impact the state of your compliance. These circumstances can include changes to the law, the software or equipment you use, your employees, or patients.

Many people think of HIPAA compliance as a goal to achieve. When you cross the finish line, it’s time to celebrate. The law views compliance more like a video recording. You must be compliant each time the video pauses, or you’re not compliant.

What Does HIPAA Require for Compliance in Training?

HIPAA provides less detail concerning employee training. Here’s the direct quote from the “simplified” instructions on the Department of Health and Human Services (HHS) website:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

The standard relates explicitly to training on the HIPAA policies and procedures that an organization has in place. This is a critical clarification because training that does not include employee review and attestation of organization policies will not satisfy the requirement of the law. How can you decide what strikes a balance between fulfilling the training requirements of the law and running your organization efficiently?

Industry Best Practices and the Good-Faith Principle

Industries identify best practices by looking at the successful actions taken by members as they respond to market and regulatory conditions. It doesn’t mean every business has to follow them, but they provide an excellent starting point to develop a strategy for your organization.

The HHS Office for Civil Rights is responsible for enforcing HIPAA. They understand that preventing every breach of protected health information (PHI) is impossible. They are far less understanding when they discover that an organization cannot demonstrate that its actions constitute a good-faith effort to follow the law.

Annual HIPAA compliance reviews and training are recognized as best practices by many in the healthcare industry. One reason is that it is an excellent way to demonstrate an organization’s good-faith efforts to comply with HIPAA Privacy Rule and HIPAA Security Rule requirements.

Compliancy Group’s healthcare compliance software, The Guard, streamlines the process of conducting risk assessments to identify gaps and craft remediation plans to address them. It helps you build and update policies and procedures and provides clear training with attestations for employees.

The Guard also keeps track of all Business Associate Agreements for your vendors and provides breach reporting and response services if needed. Most importantly, The Guard records all of your actions toward achieving HIPAA compliance so that you can prove your good-faith effort if necessary.