To ensure that employees follow HIPAA standards, and your organization’s policies and procedures, they must be trained on such. Employee training should include HIPAA basics, your organization’s policies and procedures, and cybersecurity best practices.
Business Associate Agreements.
Healthcare organizations have an obligation to ensure that their business associates will protect the PHI shared with them. Business associate agreements (BAAs) must be signed before it is permitted to share PHI with a business associate. A BAA dictates the security measures the business associate is required to have in place securing PHI. It also requires each signing party to be responsible for maintaining their HIPAA compliance.
Your Guide to HIPAA Compliance: Illustrating HIPAA Compliance
It is not enough to implement a HIPAA compliance plan, your efforts must be documented. This way should you be subject to an Office for Civil Rights (OCR) audit, you will be able to prove your “good faith effort” toward compliance.
Employees must legally attest that they have completed their HIPAA training, and that they understand and agree to adhere to the training material. Proof of their training must be documented to ensure that all employees are trained in a timely manner.
Healthcare organizations must have additional documentation to prove their compliance. This includes proof of completed self-audits, written policies and procedures, and signed business associate agreements.