With the recent announcement of HIPAA's random audits, combined with the ransomware epidemic that could lead to protected health information being compromised, the misconception that your information technology (IT) partner fully understands and is responsible for 100% of your HIPAA compliance could put your practice at risk.
While your IT adviser is a critical component to providing technical safeguards for your practice, HIPAA also requires physical and administrative safeguards, often misunderstood even by the most experienced IT professionals. Most medical and dental offices just don't have the time or resources to fully understand and implement all of HIPAA's requirements.
However, the risks of a data breach, ransomware attack, random audit, or HIPAA privacy incident are accelerating. It's more important than ever for practices to designate a HIPAA security and privacy officer to work with their IT professionals and identify any gaps in compliance and data security.
Top 5 requirements outside of IT
Information technology professionals focus on the technical safeguards, but other safeguards must be addressed. Here are the five most important HIPAA requirements that don't typically fall under an IT-managed service agreement:
1. Updated policies and procedures
HIPAA requires that all practices maintain updated policies and procedures with regard to protecting sensitive health information. More than 20 different policies and procedures must be documented, included business associate agreements, acceptable use policies, sanction policies, and HIPAA officer designation policies.
2. Emergency and disaster recovery plans
Your IT partner can and should help you prevent a ransomware attack, but HIPAA still requires that every practice maintain a documented plan that identifies the following:
- Key team members and their responsibilities
- How health information will be secured and restored during an emergency
- Documented processes and procedures that will keep operations running
An IT adviser typically doesn't have the responsibility of creating these plans for practices.
3. HIPAA risk assessment
Every practice must also undergo a mandatory HIPAA risk assessment to expose and understand its vulnerabilities. The assessment is technical and also covers all safeguards required under the law.
4. Employee training
All employees must be trained on HIPAA requirements, and documentation must be in place to prove compliance. A security and privacy officer must be designated by the practice to lead HIPAA compliance.
5. Breach notification requirements
HIPAA's Breach Notification Rule now requires all covered entities and their business associates to report an incident to their patients, the U.S. Department of Health and Human Services, and the media (if more than 500 patient records were compromised). Also needed are updated business associate agreements, which demonstrate compliance with all of HIPAA's requirements for disclosing and sharing patient information.
In fact, if your IT provider has not asked you to execute a business associate agreement, you can be sure it is not aware of all the recent changes in HIPAA law. Don't automatically expect your IT provider to be fully up to speed on these requirements.
Part 2 will discuss some simple, inexpensive steps your practice can take to address these issues.
Jeff Broudy is the founder and CEO of PCIHIPAA, which offers HIPAA compliance and data security solutions to small and midsized medical and dental practices. Take its HIPAA risk assessment.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.