Since the start of the coronavirus pandemic, there have been a lot of questions about HIPAA compliance and software. At the beginning of the crisis, the Department of Health and Human Services (HHS) released guidance temporarily easing HIPAA restrictions around the use of telehealth. This loosening led many organizations to falsely assume that they no longer have to comply with HIPAA. To clear up this misconception, HIPAA compliance now is discussed below.
HIPAA Now: Telehealth
To increase access to telehealth during the public health emergency, HHS eased restrictions. However, this applies only to healthcare providers offering telehealth in “good faith,” as in providers that continue to safeguard protected health information (PHI), but may be using non-public facing telecommunication platforms that are not HIPAA compliant.
Once the public health emergency passes, healthcare providers wishing to offer telehealth services will need to use telecommunications platforms that are HIPAA compliant. Although the restrictions were eased for telehealth provided in good faith, providers must continue to implement an effective HIPAA compliance program.
HIPAA Now: Effective HIPAA Compliance Program
An effective HIPAA compliance program must ensure the confidentiality, integrity, and availability with safeguards. These safeguards include administrative, technical, and physical. An effective HIPAA compliance program consists of several components.
◈ Risk Assessments. Covered entities are required to conduct six self-audits annually. Completing self-audits measures an organization’s administrative, physical, and technical safeguards against HIPAA standards.
◈ Gap Identification and Remediation. Upon completion of self-audits, gaps in safeguards are identified. To be HIPAA compliant, organizations must address gaps with remediation plans. Remediation efforts close gaps so that an organization’s safeguards are adequately securing PHI.
◈ Policies and Procedures. A major component of HIPAA now is illustrating compliance through documentation. As such, organizations must have customized policies and procedures dictating how they adhere to the HIPAA Security, Privacy, and Breach Notifications Rules.
◈ Employee Training. To ensure that employees properly use and disclose PHI, they must be trained annually. HIPAA training should include HIPAA basics, their organization’s policies and procedures, proper use of social media, and cybersecurity.
◈ Business Associate Management. Before working with a vendor, it is essential to assess their safeguards. Vendors (business associates) are required to be HIPAA compliant to work with healthcare clients. They must also be willing to sign a business associate agreement (BAA). A BAA must be signed before it is permitted to share PHI with the business associate. A BAA is a legal document that dictates the safeguards the business associate is required to have in place, it also requires each party to be responsible for maintaining their compliance.
◈ Incident Response. Organizations that experience a breach have an obligation to report it. Depending on the size of the breach, reporting requirements differ. Breaches affecting 500 or more patients must be reported within 60 days of discovery to the HHS, affected patients, and the media. Breaches affecting less than 500 patients must be reported within 60 days from the end of the calendar year in which the breach was discovered (March 1) to the HHS and affected patients.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.