We’ve come to the end of our HIPAA series, and if you’ve been following along, you might feel overwhelmed by the prospect of becoming HIPAA compliant. There’s a lot to do if you’re just starting out. Keep in mind that by creating a culture of compliance, it becomes easier to verify that you’re following the Security and Privacy Rules in the future. Instead of creating policies, you’ll be updating them. Instead of choosing technical safeguards, you’ll be evaluating what’s already in place. Once you are HIPAA compliant, it’s easy to stay HIPAA compliant.
Tips for Beginners
For those of you tackling HIPAA for the first time or those whose current HIPAA compliance program isn’t doing enough, here are a few tips to help you start the process.
Know what you have—The start of any HIPAA compliance program is determining what PHI and ePHI you have, what programs or processes access that information, and what policies or safeguards are already in place to protect it. Without knowing that, you can’t know what needs to be fixed.
Perform the SRA first—It’s the first security standard for a reason. A complete and thorough Security Risk Analysis is critical to compliance, and you’ll find that during the SRA process you’ll address many of the other standards in the Security Rule. If you don’t feel you can perform this on your own, it may be beneficial to call in an outside consulting company to help you.
Document everything—Get used to this right away. You must not only become compliant, but you need to prove that you are compliant, and that is done through documentation. Be careful you don’t fall into the trap of “paper compliance,” where you have the documentation but fail to follow through in everyday practice. A policy is useless if it’s not implemented.
Accept that it’s a process—Compliance doesn’t happen overnight. From the SRA to the documentation to the evaluations, compliance takes time. It is a continuous process of monitoring and updating to ensure the privacy and security of PHI.
Get everyone on the same page—Training on HIPAA needs to happen from top to bottom. This helps create a culture of compliance that will make ongoing compliance efforts easier. If those in leadership positions understand why it’s important to be HIPAA compliant, appropriate policies and procedures can be created and the budget adjusted according to needs. When employees know the rules to ensure the confidentiality, integrity, and availability of PHI, there is less chance that an avoidable breach will happen.
There is no one prescriptive way to go about HIPAA compliance. HIPAA is designed to be vague enough that any size or type of business can adopt the same requirements. This allows each business the freedom to implement in the way that best fits them, but it also requires that you take responsibility for the decisions you make. With that said, following a logical HIPAA compliance plan will help determine the most reasonable and appropriate measures for your business in a straightforward way. Compliance is always easier with a plan.
Knowing where to go for information can assist any Compliance Officer in their efforts to become HIPAA compliant. Below is a collection of the resources found throughout this series.
- The HITECH Act https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
- The OMNIBUS Rule https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html
- HHS Breach Database https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Introduction to the Security Rule
- HHS Security Series https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
- NIST Introductory Guide to HIPAA https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf
Security Risk Analysis
- ONC Myths of the SRA https://www.healthit.gov/topic/privacy-security-and-hipaa/top-10-myths-security-risk-analysis
- SRA Tool https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- SRA Videos https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-videos
- Privacy and Security Training Games https://www.healthit.gov/topic/privacy-security-and-hipaa/privacy-security-training-games
- HHS Security Series – SRA https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf?language=es
- ONC Guide to Privacy and Security of ePHI https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
- HHS Guide on SRA https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
- NIST Managing Information Security Risk https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
- NIST Guide to Conducting Risk Assessments https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
- HHS Emergency Preparedness https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html
- Homeland Security Cybersecurity Insurance https://www.dhs.gov/cisa/cybersecurity-insurance
- Cost of Data Breach Study https://securityintelligence.com/series/ponemon-institute-cost-of-a-data-breach-2018/
- HHS Encryption Guidance https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
- HHS Breach Notification https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- HHS Ransomware and HIPAA https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
- DOJ Protect from Ransomware https://www.justice.gov/criminal-ccips/file/872771/download