Online HIPAA

When healthcare providers and the vendors that serve them seek guidance about HIPAA Compliance, an internet search for “online HIPAA” is one place to start. 

You’ll find promises of (nearly) free training, compliance, or certification offered, but how do these online HIPAA compliance services match what the government requires to be HIPAA compliant?

Online HIPAA Services – How We Got Here

The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. It defined what constitutes protected health information (PHI) and established standards to ensure the safety and privacy of that information. 

The requirements of HIPAA have expanded and evolved since being passed. Today, the Department of Health and Human Services offers guidance in The Seven Fundamental Elements of an Effective Compliance Program

These elements are:

  1. Implementing written policies, procedures, and standards of conduct.
  2. Designating a compliance officer and compliance committee.
  3. Conducting effective training and education.
  4. Developing effective lines of communication.
  5. Conducting internal monitoring and auditing.
  6. Enforcing standards through well-publicized disciplinary guidelines.
  7. Responding promptly to detected offenses and undertaking corrective action.

The guidelines tell you what constitutes an effective HIPAA compliance program. They do not describe how to build it in a manner that is effective for your organization. The HIPAA regulations are intentionally vague to provide the largest number of paths for healthcare providers and business associates to become compliant in a manner that fulfills the law’s requirements regardless of their size or complexity. 

Let’s Simplify Compliance

Compliancy Group offers a complete online HIPAA compliance solution!

Learn More!
HIPAA Seal of Compliance

Online HIPAA Services – What is Required

In the eyes of the government, HIPAA compliance is a PASS/FAIL scenario. There’s no such thing as being “almost” compliant. 

To meet the Seven Essential Fundamentals listed above, specific tasks must be completed, such as a security risk assessment (SRA). Many organizations misunderstand that as many as six distinct assessments are needed to complete an SRA fully.

The role of the SRA is to identify HIPAA compliance gaps and build remediation plans to address the gaps found. Those gaps can vary widely from organization to organization. The remediation plan must address the gaps found by your SRA, not the SRA of the practice or business across the street.

You must have policies and procedures that address the specifics of your business and how your company accesses, uses, stores, and protects patient PHI. One-size-fits-all solutions generally fall short of meeting HIPAA requirements.

Employers must train their employees regularly on cybersecurity, privacy guidelines, and the acceptable use of PHI. Employees need to sign attestations that they understand the training.

You must have business associate agreements (BAAs) with any vendor who comes into possession of PHI or electronic PHI (ePHI) before the data transfers to them.

You must have a method so that whistleblowers can anonymously report possible breaches of PHI and to investigate what actually happened. If a violation occurs, you must make the appropriate notifications to affected individuals and the government in the manner and within the timelines specified by the HIPAA regulations.

Finally, suppose you are audited due to a breach or a surprise audit. You must be able to prove that you have done all of the things required to the satisfaction of t