HIPAA compliance is essential for Covered Entities and Business Associates and means abiding by the HIPAA Rules. Any organization that is a Covered Entity or Business Associate under HIPAA regulations must complete an annual security risk assessment and demonstrate progress towards mitigating identified gaps as evidence of compliance for a potential HHS/OCR audit.
What is a Covered Entity?
A Covered Entity is a health plan, healthcare clearinghouse, or healthcare provider who electronically transmits any Protected Health Information (PHI). Covered Entities can be organizations, institutions or persons.
What is a Business Associate?
A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a Covered Entity.
What is a Business Associate Agreement (BAA)?
A BAA is a written contract that specifies each organization or parties’ responsibilities as it pertains to PHI. In context of security, a BAA is designed to help Covered Entities minimize the risk of breach when dealing with Business Associates (BA). HIPAA requires Covered Entities only work with Business Associates who are able to ensure complete protection of PHI. If a breach occurs, the Covered Entity can be held responsible if a BAA is not in place.
If HIPAA compliance is part of your organizational initiatives and requirements this year, we’ve created a checklist to simplify the process.
- Complete a HIPAA Security Risk Assessment. A HIPAA risk assessment is the first step in determining gaps and risks in your environment. Conducting an assessment will also address your existing policies regarding PHI, security, and breach notification. Once the assessment is complete, you should develop a remediation plan that outlines how you will address the gaps and risks identified.
- Appoint a Privacy and/or Security Officer. HIPAA compliance is an ongoing process. Designating a HIPAA Privacy Officer or Security Officer can oversee the development and execution of privacy policies and procedures regarding how your organization uses and manages PHI.
- Conduct at least an annual security training for your staff. Your users are your biggest threat. Conducting annual security training with your employees allows you to review security policies and procedures. Training should also address password policies, phishing, physical security controls, internet security and more. Organizations providing more frequent security training and awareness activities create a culture of security within the organization.
- Document policies and procedures and complete periodic evaluations against them. Security policies and procedures should be documented and available to any employee at any time. Acknowledgement of these policies should be required for all new hires and on an annual basis. Policies should be periodically reviewed and updated in accordance with the changing threat landscape, increasing sophistication of cyberattacks, and compliance regulations.
- Manage the due diligence process of all your Business Associates. As stated above, a BAA is designed to protect a Covered Entity as it pertains to PHI. If the Covered Entity becomes aware of any issues with the Business Associate and does not remediate these issues, they could be liable should a breach occur. Conduct the appropriate diligence to ensure that the Business Associate is taking the appropriate steps to protect any sensitive information, including conducting their own Security Risk Assessment. Review and update your agreements as needed.
- Document and review the process for reporting a HIPAA breach. There is a HIPAA breach notification rule that outlines how organizations are required by law to report and disclose breaches. Breach notification requirements differ based on the type of breach, how the breach occurred, and how many people were affected by the breach. Your Security or Privacy Officer should be intimately familiar with the breach notification rule and should document policies that follow the requirements of the rule. These policies should be reviewed with employees during annual security training and any time a change to the policy has been made.
- Continue to assess and manage risk. The task of ensuring security is never finished. It is an ongoing effort that requires buy-in from the entire organization. Stay informed about the latest attack vectors and compliance requirements. Develop an ongoing plan to assess and manage your risk so that you’re ready for your next assessment. Consider a penetration test to determine the strength of your network.
Obtaining compliance for HIPAA requirements may seem like a daunting task, but it doesn’t have to be. Contact us today to start your journey on the road to HIPAA compliance.