HIPAA Compliance Plan Example: Building a HIPAA Compliance Program
To build an effective HIPAA compliance program, you must ensure that the protected health information (PHI) that you work with maintains its confidentiality, integrity, and availability. This is achieved by implementing the six above mentioned components within your organization. Find out how to become HIPAA compliant by following our compliance plan template.
HIPAA requires you to implement administrative, physical, and technical safeguards to secure PHI. By conducting self-audits you identify areas in which your HIPAA safeguards are lacking. If you are a covered entity, you are required to conduct six self-audits annually. If you are a business associate, you are required to conduct five self-audits annually.
◈ IT Risk Analysis Questionnaire: is meant to create a standard device installation and setup process across your entire organization.
◈ Security Standards: ensures that your organization’s security policies are in line with HIPAA requirements.
◈ HITECH Subtitle D: ensures that your organization has proper documentation and protocols in relation to the HIPAA Breach Notification.
◈ Asset and Device: is an itemized inventory of devices that contain ePHI. The device and asset list includes who uses the device and how your organization is protecting the device.
◈ Physical Site: each physical location must be assessed to determine if there are measures protecting PHI such as locks or alarm systems.
◈ Privacy Assessment: assesses your organization’s privacy policies to ensure that PHI is used and disclosed in accordance with HIPAA (not required for business associates).
Gap identification and remediation.
Once you have completed your self-audits, gaps in your HIPAA safeguards are identified. To ensure your HIPAA compliance, your organization must create remediation plans to close the gaps.
Policies and procedures.
Policies and procedures create a framework for how your organization adheres to HIPAA standards. Policies and procedures must address the HIPAA Privacy, Security, and Breach Notification Rules. Your organization’s policies and procedures must be customized to apply directly to your business practices. Your policies and procedures must be reviewed annually, and updated, to account for any changes within your organization.
Employees that have access to, or the potential to access, protected health information must be trained annually. Annual training should include HIPAA basics, your organization’s policies and procedures, cybersecurity best practices, and the proper use of social media in a healthcare environment. To be HIPAA compliant, employee training must be documented to prove that each employee received the required training in a timely manner. If you should make changes to your policies and procedures before an employee is scheduled to receive their annual training, the employee must be retrained as soon as possible.
Business associate management.
Business associate management is a key component of achieving and maintaining your HIPAA compliance. To ensure that your business associates (entities that receive, transmit, create, store, or maintain PHI on your behalf) are adequately securing PHI, you must send them a vendor questionnaire. The vendor questionnaire must be completed before you share PHI with them. This questionnaire is similar to your self-audits in that they measure your business associate’s safeguards against HIPAA standards.
In addition to the questionnaire, you must have signed business associate agreements (BAAs) with all of your business associates. BAAs must also be signed before it is permitted to share PHI with your business associates. A BAA is a legal document that dictates the safeguards that your business associate is required to have in place, and mandates that they are responsible for maintaining their HIPAA compliance.
Should you experience a breach you are required to report it. You should have clear guidelines for reporting an incident that your employees are aware of. This way, should an employee suspect a breach, they can report it to the right entity in a timeframe that is HIPAA compliant.
Breaches that affect 500 or more individuals must be reported within 60 days of discovery to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), affected patients, and the media. Breaches affecting less than 500 individuals must be reported within 60 days from the end of the calendar year in which the breach is discovered (March 1) to the HHS OCR and affected patients.