Your medical facility may not be as HIPAA compliant as you think. Do you have a HIPAA Compliance Plan in place? Have you identified who is managing HIPAA Compliance Services for your location? Protecting patient data is mandated by the federal government, but the responsibility and implementation are up to you. To help you, we are discussing the keys to success for HIPAA compliance.
Not sure what HIPAA entails? Our article What is HIPAA Compliance discusses the Health Insurance Portability and Accountability Act (HIPAA). It is THE standard for protecting sensitive patient data.
Patient data breaches happen more than you think.
According to HealthIT Security, 2019 and 2020 have been interesting years for HIPAA compliance and data breaches of patient records.
- In 2019, 41.4 million patient records were breached, versus 15 million records in 2016, quite an increase in hacking.
- While 2020 brought the COVID-19 crisis and the shutdown of most of the world, hackers kept breaching patient data at the same levels as they had in the previous year.
While 2020 activity lulled during the pandemic, hospitals, doctors’ offices, and other facilities should not be lulled into a false sense of security. The next ransomware attack is just around the corner and states are putting laws in place.
The data breach laws in Arizona, for example, covers the definition of a breach, notification period to patients, and cost to violators, among other specifics.
What are the Keys to Success for HIPAA Compliance?
Being aware of what the federal and state laws entail is the first step. Then assess your resources both in terms of technical and personnel. You are required to have both in place.
- Choose a Privacy and Security Officer. In large hospital systems, this is likely someone that works at the facility. Smaller offices and hospital systems may need to hire a company like FullScope IT who offer Managed HIPPA Services.
- Make a list of all places where patient information may be stored and/or accessed, including computers and other mobile devices. This would also include paper files, if any, and security of offices, including locking offices and drawers.
- Conduct risk assessment anytime there is a breach, theft, or change to software or hardware. If none of those events have occurred, we recommend an annual risk assessment at minimum.
- Create a policies and procedures manual. Staffing changes. Devices change. Security standards change. It is important for your team to understand what they need to do in case of breach and/or at an annual assessment. Of course, update the manual with changes too so everything is as up to date as possible.
- Train employees. You have got all the pieces in place so now it is time to train employees on who they need to call in case of a breach. They need full HIPAA education to understand the what and why of reporting to the security team. This will help stop the hackers sooner than later.
All of this is ongoing so it may make sense to hire a company that specializes in HIPAA Compliance Services, for all or part of the ongoing assessment and implementation.
Our HIPAA Compliance Services include:
- Educating ourselves on the latest in HIPAA Regulations
- Compliance with all aspects of HIPAA Regulations
- Conducting Security Risk Assessments for all your locations
- Assessing security requirements and monitoring, making changes as needed
- Providing documentation, paperwork, and policies to appropriate parties
- Live Coaching and guidance for both HIPAA and Security
For more information on Managed HIPAA Services, please contact us here