2016 HIPAA Audits Part 4: 10 Steps to Compliance
by Donna Koger, 11.9.15
HIPAA Compliant Practice Management
It’s projected that HIPAA audits will increase in 2016, starting at the beginning of the year. While it’s always critical to practice viability to maintain HIPAA compliance, it’s even more important when audits are on the rise. Here are 10 steps to help you get there – Covered Entities (CEs) should:
1. Develop Privacy Policies
Develop and implement privacy & security procedures. Be sure to document all policies, including the steps to take when a breach occurs.
2. Implement Privacy Policies
Privacy and security policies must be properly implemented by CEs, with strict protocols for employees who violate them.
3. Appoint Privacy and Security Officer(s)
Task a privacy and security officer within your organization who is familiar with all HIPAA regulations / policies and can spearhead all of the necessary compliance tasks.
4. Conduct Regular Risk Assessments
Conduct regular risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of Personal Health Information (PHI). It is critical to correct identified risks and revise policies as needed to minimize risks.
5. Adopt Potential Breach Protocol
A protocol for investigating potential breaches of PHI is a must. A risk assessment test can be used to determine if a breach has occurred. If so, it is essential that the Covered Entity document the results of the investigation and notify the appropriate authorities.
6. Adopt Email Policies
Develop policies regarding the use of email. According to Amanda L. Enyeart, JD, "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication.”
HIPAA does not prohibit the use of email for transmitting PHI; however, you should be aware of the specific HIPAA guidelines for email.
7. Adopt Mobile Device Policies
Adopt strict policies regarding the storage of PHI on portable electronic devices, such as cell phones, iPads, etc., and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices.
Training all employees who use or disclose PHI and documenting that training is an important step to ensuring HIPAA compliance. Covered entities should also conduct refresher courses, train new employees and instruct employees in any new policies and procedures.
9. Notify Clients of Privacy Practices
The Notice of Privacy Practice (NPP) should be correctly published and distributed to all clients. It should also be prominently displayed in the office and on the practice’s website - and the organization should obtain acknowledgement of receipt from all of their patients.
The NPP should be updated whenever policies are revised and may need to be updated to reflect the provisions of the recent HIPAA Omnibus.
10. Enter Into Valid Agreements
Ensure your organization is entering into valid agreements with all Business Associates and subcontractors. Any existing business associate agreements (BAAs) may need to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of Business Associate liability.
Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.