Every year a long list of healthcare organizations break HIPAA rules, accruing costly violation fees— not to mention the time and headaches of re-assessing their future compliance readiness.
There are a lot of rules and regulations you must adhere to in order to meet HIPAA compliance. You could be audited at any time, and preparedness is critical.
In our other article, “7 Reasons Healthcare Companies Face HIPAA Violations,” we covered some of the biggest reasons companies are penalized. Whereas in that article you’ll find a list of causes for violation, here we’re offering a checklist to ensure you’re complying with all things HIPAA.
Here are six important questions to ask yourself when assessing your HIPAA audit readiness:
1. Do you conduct a HIPAA security risk assessment on an annual basis?
It’s not uncommon for many businesses to view risk assessments as a waste of time: that’ll they tell you things you already know or that they are just there to check off a compliance requirement to be filed away. It’s true that you could very well ignore the results of a risk assessment, but the personalized information about your business's vulnerabilities, threats, and HIPAA warning signs they provide are invaluable.
A risk assessment could uncover that you do not have a https-certified website, which, if patients can access patient information via a patient portal on your practice website, is a HIPAA violation waiting to happen. This is just one example. We recommend conducting a professional risk assessment once a year to mitigate your risks and avoid any compliance threats.
2. Does your business have formal policies and procedures in place to maintain HIPAA compliance?
Do you even know which of HIPAA’s rules are applicable to your operations? Are your employees aware of and following them? The first step is knowing what you have to do to become compliant— but it doesn’t stop there. You must then form your own internal policies and procedures to ensure you aren’t violating any terms. This could mean establishing clear systems for entering or sharing PHI, as just one example.
Are you keeping up with the ever-evolving landscape of HIPAA regulation changes? Reassess your policies every year to ensure they are still pertinent and keep an attentive eye out for any modifications.
3. Does your staff know why you have these rules in place?
Beyond establishing these formal company procedures, does every employee have HIPAA training and participate annually in HIPAA continuing education? You can tell your staff what your “rules of operation” are, but do they truly understand why they must do this, and how the consequences of not following your protocol would affect themselves, your business, and your patients?
This can all be a lot to monitor and enforce. Does your practice have a designated HIPAA privacy/security officer? Establishing an authority around all things HIPAA can help to ensure protocols are understood and upheld.
4. Is all your data protected?
The Protected Health Information (PHI) that your house is a high target for breaches. Hackers are crafty and resourceful— and even with firewalls and antivirus software, you might not be safe.
Are you currently backing up all of your clinical information offsite? If you use electronic medical records, are they password-protected with unique user IDs/logins for each employee?
Data security goes beyond just your digital trail. If you still use paper records, are they locked away and hidden from view of all other patients? A data breach could be a costly HIPAA violation to recover from, both financially and reputationally.
5. When you transfer data, is it Encrypted?
It doesn’t stop at only protecting the PHI record itself; you must also safeguard your transference methods. X-rays, treatment plans, etc. can easily fall into unauthorized hands if sent to the incorrect source or through hacking— violating your patient record privacy policies and HIPAA compliance.
When you text or email your patients’ clinical information directly or use automated software, is it encrypted? There are multiple layers of security beyond encryption that you could add to your computer network to ensure that your PHI is protected. These include password protection, multi-step user authorization or verification, etc., and your practice should explore and utilize as many layers of security as possible.
6. Are your vendors or partners also HIPAA compliant?
You can spend so much time worrying about your own compliance that you could forget about how associated contacts could put you at risk of violation. If you send or communicate about PHI with another partner or vendor, be sure to ask them about their level of protection, and to ensure you are extra cautious when exchanging information. HIPAA requires that any vendor with which you do business signs a Business Associate Agreement. This agreement holds the vendor responsible for upholding HIPAA standards with regard to your practice’s PHI.
The HIPAA Assessment Calculator
These are just some considerations to help assess your HIPAA awareness and readiness. In reality, the checklist is much longer, and there are a number of ways you could be violating regulations.
That’s why you need help from the professionals. Here at Integrity Systems & Solutions, we specialize in helping medical and dental companies specifically.
Then, explore our HIPAA compliance services or give us a call at (866) 446-8797 for assistance in getting compliant today.
