When healthcare providers and the vendors that serve them seek guidance about HIPAA Compliance, an internet search for “online HIPAA” is one place to start.
You’ll find promises of (nearly) free training, compliance, or certification offered, but how do these online HIPAA compliance services match what the government requires to be HIPAA compliant?
Online HIPAA Services – How We Got Here
The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. It defined what constitutes protected health information (PHI) and established standards to ensure the safety and privacy of that information.
The requirements of HIPAA have expanded and evolved since being passed. Today, the Department of Health and Human Services offers guidance in The Seven Fundamental Elements of an Effective Compliance Program.
These elements are:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
The guidelines tell you what constitutes an effective HIPAA compliance program. They do not describe how to build it in a manner that is effective for your organization. The HIPAA regulations are intentionally vague to provide the largest number of paths for healthcare providers and business associates to become compliant in a manner that fulfills the law’s requirements regardless of their size or complexity.
Online HIPAA Services – What is Required
In the eyes of the government, HIPAA compliance is a PASS/FAIL scenario. There’s no such thing as being “almost” compliant.
To meet the Seven Essential Fundamentals listed above, specific tasks must be completed, such as a security risk assessment (SRA). Many organizations misunderstand that as many as six distinct assessments are needed to complete an SRA fully.
The role of the SRA is to identify HIPAA compliance gaps and build remediation plans to address the gaps found. Those gaps can vary widely from organization to organization. The remediation plan must address the gaps found by your SRA, not the SRA of the practice or business across the street.
You must have policies and procedures that address the specifics of your business and how your company accesses, uses, stores, and protects patient PHI. One-size-fits-all solutions generally fall short of meeting HIPAA requirements.
Employers must train their employees regularly on cybersecurity, privacy guidelines, and the acceptable use of PHI. Employees need to sign attestations that they understand the training.
You must have business associate agreements (BAAs) with any vendor who comes into possession of PHI or electronic PHI (ePHI) before the data transfers to them.
You must have a method so that whistleblowers can anonymously report possible breaches of PHI and to investigate what actually happened. If a violation occurs, you must make the appropriate notifications to affected individuals and the government in the manner and within the timelines specified by the HIPAA regulations.
Finally, suppose you are audited due to a breach or a surprise audit. You must be able to prove that you have done all of the things required to the satisfaction of the auditors or investigators from the HHS Office for Civil Rights (OCR). Failure to do so can result in severe civil and criminal penalties.
And each year, you must start again with your SRA. HIPAA compliance is not a one-and-done thing. The good news is that after you build an effective compliance program, maintaining that program requires much less effort.
Very few companies offering online HIPAA compliance services actually provide complete solutions. Most deliver generic policies or stand-alone training coupled with customer support which is confusing at best. So who will be there to help you if your organization ever suffers a data breach or OCR investigation?
Online HIPAA Services – Real Solutions and Real Guidance
Compliancy Group’s HIPAA compliance solution addresses all regulatory requirements and creates a foundation to build a culture of compliance in your organization.
First, you gain access to our industry-best software solution, “The Guard.” The Guard acts as your compliance nerve center, guiding you through the required audits, building remediation plans, and creating policies and procedures that work for your organization.
Annual required employee training is included in The Guard, along with the tracking and attestation needed to prove that it actually happened.
All business associate agreements are logged in The Guard, and it also provides anonymous breach reporting for employees as required by law. If you ever face a data breach or audit, we’re as close as your phone and ready to help you respond.
In addition, you will have a dedicated Compliance Coach with you every step of the way. They will identify the information you need to gather to become compliant, answer questions specific to your business, and help you move from HOPING that you’re compliant to KNOWING you are.
When regulations change, your Compliance Coach will be there to keep you up to date. Year after year, following their guidance keeps you compliant.
The choice is yours. You can struggle to build a piecemeal solution that MIGHT be effective today, or you can have a cost-effective, comprehensive online HIPAA compliance solution with dedicated live help and experts that have your back. After more than 17 years in business, no Compliancy Group client has ever failed an OCR audit nor had to pay a fine.