The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that establishes national standards to protect individuals’ medical records and other personal health information. The law applies to health plans, clearinghouses, health care providers and related entities conducting health care transactions electronically. The Health and Human Services (HHS) department implemented the omnibus Rule in 2013 strengthening these privacy and security standards. As technology has become more leveraged in healthcare organizations, large and small, understanding HIPAA regulations has become even more critical for the stakeholders. For instance:
- Participants in Medicare MIPS and Medicaid Meaningful Use programs must complete and upload the Security Risk Assessment (SRA) upon attestation in the majority of the cases. The SRA needs to be followed by remediation of deficiencies.
- Similarly, covered entities are responsible to hold their Business Associates accountable for HIPAA compliance by ensuring that they have proper documentation to support access and compliance.
- Both Covered Entities and Business Associates are vulnerable to audits.
- SRA should be completed annually at a minimum, plus during any significant organizational change.
HIPAA auditors routinely look for deficiencies and additional documentation to verify your continued and strengthened participation in HIPAA compliance. Below are some of the key requirements from a HIPAA compliance process standpoint.
- Implementation and management of HIPAA policies and procedures, including the definition of requirements
- Evaluation of the organization’s HIPAA compliance status, including documentation of risks and remediation plan/actions
- Identification and documentation of breaches and non-compliance instances with regards to HIPAA’s privacy and security laws, such as logging of issues and reporting
- Central administration of all HIPAA-related data, documentation, and information
- Consistently updated HIPAA agreements between covered entities and business associates
To evaluate whether you are meeting the minimum requirements for HIPAA compliance, you can ask yourselves below questions:
- Did you complete a Security Risk Assessment (SRA) of your organization in 2019, and did you work with your IT staff to remediate the findings of the SRA?
- If you have a wireless network, are the security controls properly defined and enabled (e.g., known access points, data encryption, firewalls, etc.)?
- Do you have an updated HIPAA agreement in place from each of your Business Associates or Vendors?
- Do you have documentation of what updates or changes have been implemented to improve your HIPAA compliance?
- Do your employees receive regular training on HIPAA compliance, including how to use technology securely and stay protected from external threats?
If you answered “No” to any of the above questions, you may consider getting some help navigating the HIPAA rules and regulations. You are welcome to get in touch with one of our well-versed HIPAA consultants for a complementary consultation.
By: Tiffany Short, Director of Consulting Services