Does Your HIPAA Compliance Handbook Do More Harm Than Good?

Many off-the-shelf HIPAA compliance handbooks have a lot in common with do-it-yourself furniture. You’re promised HIPAA compliance, a lower price, and “easy-to-follow instructions.” But you’re likely to get frustration, missing parts, and something that could do more harm than good.

Do-it-Yourself HIPAA Compliance Handbook: Who Does One Size Fit?

Do-it-yourself compliance with a fill-in-the-blank HIPAA compliance handbook sounds inviting. Often, they promise complete policies, procedures, and business associate agreements that simply need you to add your organization’s name.

What’s the problem with that approach? HIPAA was written to apply to everyone who creates, possesses, or processes protected health information (PHI). The Mayo Clinic and a rural dental office in Alaska are both expected to fulfill every one of HIPAA’s rules and regulations. 

As you might imagine, the process for becoming HIPAA compliant would look very different for each entity. To be effective, an organization’s policies and procedures must reflect the unique characteristics of that organization. 

Now think about two pediatric clinics in the same town with the same number and makeup of staffing, patients, and vendors. With so many similarities, there are still likely to be differences in how their clinics operate. Perhaps, one allows clerical employees to work from home. The other offers patient visit summaries via text message. The policies and procedures of each clinic must account for those key differences. If they don’t, neither clinic would be HIPAA compliant.

To make matters worse, the gaps left by fill-in-the-blank HIPAA compliance handbooks have resulted in HIPAA violations in the past. Violations can lead to substantial HIPAA fines.

Compliancy Group’s automated HIPAA solution, “The Guard,” has policies and procedures prepared by HIPAA experts and are audit tested. You can personalize the policies to specific situations that make your organization unique. Your policies and procedures become a HIPAA handbook for healthcare staff that supports how you work and is also HIPAA compliant.

Do-it-Yourself HIPAA Compliance Handbook: Is That a Policy or a Cry For Help?

Another problem with anything do-it-yourself is that you have to DO it yourself. Most healthcare practitioners and business associates are not experts in HIPAA law. What happens when you need something in your fill-in-the-blank HIPAA Compliance Handbook translated into something understandable, like the HIPAA Privacy Rule?

You can always Google for answers, mine the HHS website for guidance, and talk to colleagues who have been through the process. But do you really know that you’re answering the question asked? Have you closed every gap in your HIPAA compliance?

Compliancy Group has dedicated Compliance Coaches that walk with you as you learn how to use “The Guard.” They can direct you to Knowledge Base articles that give more information clearly and concisely. They can also reach out to our regulatory subject matter experts as needed.

Coaches don’t provide legal advice, and they can’t do the work for you. But your Compliance Coach will guide you through the process and the software in a way that allows you to learn as you become compliant. That way, you develop the confidence that you’ve done everything right. 

Do-it-Yourself HIPAA Compliance Handbook: How Do I Get the Missing Parts?

A do-it-yourself HIPAA handbook might look like a good solution for your situation. Maybe the policies you create will fit your needs perfectly. Unfortunately, there’s a lot more to HIPAA compliance than just policies and procedures. And just like your fourth-grade math teacher, you get nothing for a partial answer.

HIPAA compliance is a pass/fail exercise. You either are fully compliant, or you’re not compliant. Making matters worse, you have to be able to prove you’re compliant when HHS auditors show up.

Full compliance requires the following things:

1. Annual Security Risk Assessment – Covered entities like healthcare providers have six audits that must be performed annually to identify possible gaps in their compliance. Business associates (vendors that serve covered entities) must complete five audits annually.
2. Gap Identification and Remediation – All compliance gaps identified with the audits must have clear remediation plans defined to close the gaps.
3. Policies and Procedures – Actions required to remediate gaps should be tied to specific sections of HIPAA law and incorporated into organizational policies and procedures. 
4. Training, Testing, and Attestation – All employees who may come into contact with PHI must be trained and tested annually on relevant policies and procedures and HIPAA and cybersecurity security best practices. Training records and employee attestations must be saved in case of an audit.
5. Business Associate Agreements – The Guard has business associate agreements (BAAs) and confidentiality agreements you can use with business associates and other vendors. Before transferring the information, you must sign BAAs with all organizations contacting patient PHI. The Guard stores all your BAAs, so they are available if needed.
6. Breach Reporting and Incident Response – The HIPAA Breach Notification Rule states anonymous breach reporting must be available to employee whistleblowers, and processes for identifying and responding to potential breaches and other incidents must be in place. 

If a do-it-yourself HIPAA compliance handbook misses any of the six items above, you won’t be HIPAA compliant.

Because “The Guard” is a total HIPAA solution, all the requirements listed above are fully and wholly met in a way that is easy to use, organized, and customizable for your organization.

In addition, when there are any changes to HIPAA requirements, The Guard notifies you of the changes and what you need to do to stay compliant. That’s something you won’t get from a DIY HIPAA compliance handbook.