How to Make Your Company HIPAA Compliant
Root canals, sewer backups, and car breakdowns are three events most people dread. As terrible as they are, many people would gladly choose any one of them over going through the process of becoming HIPAA compliant. Achieving HIPAA compliance can be painful, messy, and inconvenient if you face the challenge alone.
Today we will present two options for how to make your company HIPAA compliant.
How to Make Your Company HIPAA Compliant – Begin Where You Are
Three important things to remember regarding HIPAA compliance:
- The primary focus of HIPAA compliance is patients’ protected health information (PHI). Whether it’s in a physical or electronic (ePHI) format, the law is concerned with the privacy and security of PHI and patients’ right-of-access to that information.
- Compliance is like being pregnant… you either are or you are not. The enforcement authorities at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) do not give partial credit for partial compliance. It’s either all or nothing.
- Compliance is not a one-and-done thing. Certain activities must be done each year and records must be kept of everything you do. Not only do OCR investigators not give partial credit, but they also expect you to show your work each year. If you have no proof, you have no compliance.
With that in mind, HIPAA regulations require a security risk assessment (SRA) of your business each year as part of five or six required audits (depending on whether the business is a covered entity or a business associate). These audits provide a comprehensive overview of your organization’s current security, privacy, and administrative compliance.
You can choose to complete these audits alone or you can choose to use Compliancy Group’s compliance automation software, The Guard. The Guard breaks down these audits into a series of yes-no questions that can be answered by one individual or delegated to subject matter experts within your organization. On average, individuals using The Guard complete this step at least 80% faster than those who go it alone.
How to Make Your Company HIPAA Compliant – What You Are Missing and How Can You Fix It?
After you complete the audit, you then must compare your current standards to the guidelines specified in HIPAA’s rules and regulations to identify potential gaps in what you are doing. If gaps are found, you must then create a remediation plan to address those gaps.
The Guard does this automatically, connecting each gap identified to specific sections of the HIPAA regulations. It then automatically creates a personalized remediation plan for your business and cites the specific regulations with each step in the plan. Users of The Guard complete this step 90% faster than those who do it on their own.
How to Make Your Company HIPAA Compliant – Mind Your Ps & Ps
Now that you have your remediation plan, HIPAA requires you to follow it by correcting the deficiencies and creating or updating your policies and procedures to reflect the changes. This is a critically important step because these policies must meet the standards outlined in the HIPAA Privacy Rule and Security Rule for handling PHI and ePHI.
Policies and procedures must be customized for your business and must align with the HIPAA Standards. This means either you have to do it yourself, or you must hire an outside expert to do this. And don’t forget to keep up with the changes you made and when you made them. Remember you have to show your work in case of an audit.
Instead of struggling with this task, users of The Guard receive a customized set of policies and procedures that accurately reflect how their organization does business. These policies have been reviewed and vetted by experienced compliance attorneys, audit-tested in real-world situations, and proven to be effective.
The policies are personalized with your company-specific information, and can even be expanded to address situations specific to your company. Anytime changes are made to these policies, automatic document versioning keeps track. Users of The Guard finish these tasks 90-95% faster than those who go it alone.
How to Make Your Company HIPAA Compliant – Train, Test, Track, and Attest
Now that you have your policies and procedures, employees must be trained on them annually. To be compliant, you must create the training content, distribute it annually, ensure that all employees attest to reviewing and understanding the training, and keep track of the attestations in a way that can be retrieved when needed.
The Guard streamlines this process in a highly efficient manner. Training is included in your service package. After uploading employees’ work email addresses, each staff member receives a link to the training within The Guard. When reviewing the training, they can attest that they understand it. The attestation is time-stamped and stored, ready for retrieval at a moment’s notice.
You have the ability to add other important documents (such as employee handbooks, non-disclosure agreements, etc.) that require attestation or e-signatures to The Guard and streamline document management.
You’re also prepared any time your staff grows. The training modules are always available so that you can incorporate them into your onboarding tasks. In addition to automating the process and record-keeping, users of The Guard complete these tasks at least 70% faster than those who do the process themselves.
How to Make Your Company HIPAA Compliant – Doing Your Due (Diligence)
HIPAA regulations state that you must have business associate agreements in place with any vendor (business associate) who comes into contact with PHI or ePHI on your behalf. Each of these business associates must be HIPAA compliant. Each business associate agreement must contain 10 essential elements in order to be valid and you must perform due diligence on each business associate.
That means someone has to contact each business associate, know what to ask them to determine due diligence, evaluate their answers, and then reduce their responsibilities to a written contract.
This process is automated within The Guard. After creating a profile for each vendor, The Guard automatically sends them a yes-no questionnaire that will give you the information you need to satisfy the due diligence requirements. Business Associate Agreements are included within The Guard and can be exchanged and signed via email.
The Guard also includes confidentiality agreements to cover situations where PHI might accidentally be exposed (such as a cleaning crew or maintenance provider) to further protect your business.
These agreements only need to be updated if there is a material change in the scope of the agreement, but they should be reviewed annually to be certain they are still accurate. Users of The Guard finish these tasks 85-90% faster than those who go it alone.
How to Make Your Company HIPAA Compliant – In Case of Breach, Send Help!
HIPAA regulators know that breaches will happen. What they expect is that you will have an effective response strategy. You must provide a method for employees to report suspected breaches anonymously to provide whistleblower protection as required by law. You must also provide breach notification to HHS and the affected parties in the event of a breach within the timelines prescribed by the HIPAA Breach Notification Rule.
If you are managing HIPAA compliance alone, it’s up to you to develop the strategy to fulfill these requirements. It could mean contracting with an outside firm to provide the required anonymous breach reporting service, or developing the response plan on your own.
You also need to consider what you will do in the event of an audit by HIPAA regulators or one of the various state attorney generals that aggressively pursue healthcare privacy violations. You will either have to prepare the response on your own or hire a professional to assist.
The Guard has the solution built into the software. An anonymous breach reporting system is built into the software that is accessible by every one of your employees. If a breach is reported through the anonymous system or discovered at any point, your first call should be to Compliancy Group.
The same is true if you receive notice of any HIPAA or state healthcare privacy and security audit. When you call us, our team of experts will help you find what you need in The Guard and help prepare your response in an organized report.
At any given point, one or more of our clients is facing an audit. In more than 17 years of experience, no client has ever failed an audit or been fined. We also guide you through the process of breach reporting to ensure that you won’t incur a violation because you missed reporting deadlines.
Users of The Guard report that the peace of mind and support provided by this service alone is beyond measure.
How to Make Your Company HIPAA Compliant – A Little Help From Your Friends
Most surveys report that it takes 100 or more hours to satisfy all of the requirements of HIPAA Compliance. Using The Guard, Compliancy Group clients generally reduce this time by 80-90% depending upon individual circumstances.
Compliancy Group clients save more than just time. Each client is assigned a dedicated Compliance Coach that will help them learn to use The Guard in the most effective manner for their organization. The coaches provide practical advice about The Guard and will direct you to find more specialized advice within our expansive Knowledge Base.
