Avoiding HIPAA violations is vital to any organization. This is especially true since penalties have continued to increase under the Omnibus Final Rule.
The following 10 steps are suggested to help organizations achieve HIPAA compliance with the final rule:
1 - Development of Privacy Policies
Privacy policies play a major role in HIPAA compliance. Under the final rule, healthcare organizations must develop and implement privacy and security policies and procedures. These policies and procedures should be well documented and include steps to take when a breach occurs.
2 - Appointment of Privacy and Security Officers
Security goes hand in hand with privacy. Therefore, all healthcare organizations should have a privacy and security guard. These jobs can be done by two people or one individual, but they must be conversant with all HIPAA regulations and policies.
3 - Conducting Regular Risk Assessments
Health privacy and security is at risk daily, in this technological age. In order to identify vulnerabilities, healthcare organizations should regularly conduct risk assessments. This will ensure that health information is secure and prevent future problems.
4 - Adoption of Email Policies
In regard to the use of email, policies must be in place that both protect and guard the transfer of health information. While HIPAA does not prevent the use of email for transmitting protected health information, healthcare organizations should make sure that their patients are aware of the risks that come with distributing health information over email. Email encryption is the best solution for healthcare organizations. It ensures that patient health information remains secure.
5 - Adoption of Mobile Device Policies
Strict policies should be implemented regarding the storage of protected health information on portable electronic devices. The removal of these devices should be regulated from the premises. Healthcare organizations should familiarize themselves with HHS guideline on how to properly use mobile devices.
6 - Training
Regulations and policies are continually changing to stay on top of privacy and security risks. For this reason, all employees that disclose protected health information need proper training in order to stay in compliance with HIPAA. There should also be regular refresher courses to update employees on new policies and procedures.
7 - Notice of Privacy Practices
A notice of privacy practices gives patients a sense of security because it helps them understand just how their information is protected. All patients should receive a Notice of Privacy Practices. This should also be displayed on the healthcare organization's website and the organization should obtain an acknowledgment receipt from all of their patients.
8 - Entering into Valid Agreements
Healthcare organizations work with a myriad of business associates, from billing to imaging. Before entering into any new agreements, organizations must verify the validity of all associates and subcontractors. Any existing and future business associate agreements should be in compliance with updated changes to HIPAA under the final rule. One such change is the expansion of business associate liability.
9 - Adoption of Potential Breach Protocols
All healthcare organizations must have a protocol for investigating potential breaches of protected health information. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. The appropriate authorities should be contacted if a breach has occurred.
10 - Implementation of Privacy Policies
Having policies is good, but without proper implementation, they are empty words. Privacy and security policies must be properly implemented by healthcare organizations. Moreover, violation of these policies should result in the sanction of any employee who violates them.
Following these 10 steps helps to ensure that healthcare organizations remain HIPAA compliant. With the changes and updates of this final rule, staying on top of HIPAA compliance means a smaller likelihood of violation and penalty. It’s also advised that healthcare organizations check the available resources on the Office of Civil Rights website.