Three Things That Must be on Your HIPAA New Year’s Resolution List

by ih-coc admin

by Jay Hodes, President - Colington Consulting

Around this time every year, I write an article regarding HIPAA and New Year’s resolutions because the start of a new year is the time to make sure you finally address HIPAA compliance requirements for your organization. Maybe some of you wished for a holiday gift that included HIPAA dissolving under the current White House administration or that it was easier to implement. But, unfortunately, that dream remains elusive as HIPAA continues to be a nightmare for some organizations.

Although Congress appears to be making some noise about new data breach legislation, no part of this bill is specifically directed at HIPAA requirements. And at this point, there is no traction in Congress to undertake the task of reforming or amending any or all parts of the HIPAA Privacy and Security Rules. That means we need to live with the requirements that are already in place and make sure there is an understanding of what must be done to comply.

There are three critical areas that any HIPAA compliance program must have, regardless of the size of the organization or types of healthcare or related services being provided. If your organization is a Covered Entity or a Business Associate, as defined by regulation, a comprehensive HIPAA compliance program must be in place.

Those three critical areas are 1) having a comprehensive HIPAA Risk Management Plan in place; 2) conducting an accurate and thorough HIPAA Risk Assessment; and 3) providing HIPAA Security Awareness Training to your workforce.

  1. A HIPAA Risk Management Plan is the foundation of your compliance program. It needs to address all the HIPAA Security Standards and Implementation Specifications with policies and procedures. Those policies and procedures must address the administrative, technical, and physical safeguards that are either required or addressable. With Addressable Safeguards, your organization can apply the Reasonable and Appropriate Standard. This Standard allows for an alternative measure that achieves the purpose of the Standard. But remember, you will need to document how this alternative measure is being achieved.
  2. If you are a Covered Entity or Business Associate, you must conduct a required HIPAA Risk Assessment. The Security Management Process Standard in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” A risk assessment helps your organization ensure it is compliant with HIPAA administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s electronic Protected Health Information (ePHI) could be at risk.
  3. HIPAA Security Awareness Training is an annual requirement for all members of a Covered Entity. This includes members of management, physicians, full- and part-time employees, interns, and even volunteers. For Business Associates, any workforce members who need to access any electronic Protected Health Information or PHI must receive this training. It is critical that organizations document if training was provided.

HIPAA compliance must be a priority for any organization that needs to meet these regulatory requirements and not just as a one-time New Year’s resolution. Managing a HIPAA compliance program is not a “one and done” deal, but needs to be part of an ongoing process. Thus, perhaps a better New Year’s resolution is to prioritize the implementation of these requirements throughout the year so that HIPAA does not become the nightmare that some believe it to be.