HIPAA compliance can be complex and time-consuming. However, it's never been more important to be certain that your HIPAA compliance program is sound. After a decade of lax enforcement the federal government is seriously ramping up its auditing of healthcare organizations for HIPAA compliance. In 2013 alone, Health and Human Services undertook 10,000 HIPAA investigations. The fines imposed in 2014 were eye-opening, with two cases receiving $4 million penalties.
Tribal health clinics are generally subject to the HIPAA Privacy and Security Rules pursuant to federal regulations. So what can your health organization do to become HIPAA compliant? Here are seven essential steps:
1. The Risk Analysis
This is the heavy-lift when it comes to developing a meaningful HIPAA program. Organizational leaders must sit-down together, often for several hours and in several sessions, to determine where threats to protected health information exist in the organization's practices, procedures, and personnel and, importantly, how to address those threats. If you haven't drilled down into how health information can escape from your practice on a day-to-day, encounter-to-encounter basis, then you have not conquered HIPAA.
2. Putting it on Paper
Once you've completed your Risk Analysis, you have to memorialize your work into comprehensive policies and procedures. These documents will direct your administration and staff on how to safeguard protected health information at your organization.
3. Putting the World on Notice
These policies and procedures must also be written up into a Notice of Privacy Practices that advises all patients and clients on exactly how their health information will be handled in your office. The Notice must be given to every patient or client at the first treatment encounter and must be posted on the organization website.
4. Business Associate Agreements
All business partners and service professionals who receive or create protected health information on behalf of your organization must sign an adequate Business Associates Agreement. This ensures that the sensitive information entrusted to your business partners and vendors is also protected by HIPAA since many of these companies are not HIPAA covered entities.
5. Review Authorization Forms
To be valid under HIPAA, authorization forms must contain several required warnings and meet other stringent factors, the absence of which will invalidate the authorization. These forms are used over and over again by your staff in order to give or gain access to highly sensitive information so make sure yours are up-to-date and legally sound.
6. The Critical Step - Training
After expending all of that energy developing and writing down your policies and procedures, make sure you don't skip the final vital step: training your staff. To reduce your chances of a HIPAA violation, your staff must be educated on how to properly safeguard patient information when it comes to daily practice, use of technology, interactions with vendors and effective mitigation steps when an information breach does occur. All of your hard work is for naught if you don't impart your HIPAA compliance plans with your staff. Plus, the HIPAA rules require it.
7. Vigilance is Required
If the last time your organization conducted a HIPAA tune-up was "a couple of years ago" you may be out of compliance. HIPAA requirements change often (important updates occurred in September 2013). Moreover, policies and training must be updated as your internal practices and technology tools change. Revisit your HIPAA program regularly and do not let your guard down.
Whether you are building a HIPAA compliance program from the ground up or just need an expert to review the state of your existing program, our attorneys can guide you along the road to compliance.