With the Office for Civil Rights (OCR) readying for phase 2 of its Health Insurance Portability and Accountability Act (HIPAA) audits, there's no better time than the present to review your policies and procedures. First and foremost, you should follow these four steps, as it will set your healthcare practice on the right path towards compliance.
Step #1) Check for Safeguards
One of the first steps towards HIPAA compliance is to check and make sure all of the necessary safeguards are in place. As per the Security Rule, covered entities must use a combination of physical, administrative and technical safeguards to prevent the unauthorized access of Electronic Protected Health Information (EPHI). Physical safeguards consist of tangible security measures like locked doors and video surveillance systems. Administrative safeguards consist of HIPAA-related policies and procedures. And technical safeguards consist of intangible security measures like encryption and network monitoring systems. The bottom line is that you need to implement all three of these safeguards when storing or otherwise handling EPHI.
Step #2) Review Business Associates Agreements
In addition to implementing the three safeguards mentioned above, covered entities should also review their Business Associates Agreements (BAA). Countless covered entities have been cited in the past for failure to use BAAs, while others have been cited for using erroneous and/or outdated BAAs. Don't let this happen to your practice; review your BAAs before a potential HIPAA audit to ensure they are correct and up to date. If they aren't, use this time to fix them.
Step #3) Conduct Security Audit
Of course, it's also a good idea to conduct your own internal HIPAA security audits. During this audit, you should look for gaps in security that could otherwise increase the risk of a data breach. Far too many covered entities overlook this step, only to be hit with a fine and/or corrective action by the OCR when it conducts their HIPAA audits.
Step #4) Train Staff
Are your employees trained on the nuances of HIPAA compliance? If not, they should be. Employees are an extension of your practice, and they must also comply with HIPAA when conducting business in your practice. If just one employee makes a mistake, it could lead to a HIPAA violation during an audit. Training isn't just a one-time thing, either. Employees should receive ongoing training to ensure they are fully knowledgeable regarding HIPAA.