HIPAA Compliance Simplified: The How-To Guide for Healthcare Professionals

April 14th, 2017 by admin

The three main phases to reach HIPAA Compliance are (1) perform Annual Risk Assessments, (2) create a Policy Manual, and (3) Continue Improving. The Annual Risk Assessments help ensure that your clinic’s technology is secure and that the proper safeguards are in place. Your Policy Manual should blend industry best practices with custom approaches specific to your clinic. These first two phases take a lot of time and effort and can last several months. When they are complete, your clinic could pass a HIPAA audit by HHS. But in order to stay secure and compliant and pass audits in future years, make sure your clinic stays diligent with the Continual Improvements phase. Two HIPAA rules govern how clinics protect ePHI and all other PHI: the Privacy Rule and a subset called the Security Rule. Sometimes the rules tell clinics exactly what to do, but there are many items where clinics are allowed to use their own good judgment. The three main phases to reach HIPAA Compliance are (1) perform Annual Risk Assessments, (2) create a Policy Manual, and (3) Continue Improving. These phases (explained below) are the easiest way to reach HIPAA compliance. During these three phases, it’s essential for your clinic to develop, then follow, appropriate administrative, physical, and technical safeguards as well as track your compliance efforts. This will protect you in the event of an audit by proving that proper policies were written up and followed for up to the previous six years.

 

1. Annual Risk Assessment

Q.  What is a risk assessment? A.  An Annual Risk Assessment consists of three parts: a technology scan, a HIPAA Facility Survey and a HIPAA Management Plan. Together these parts will provide a snapshot of how your clinic is currently doing and provide a detailed (and I mean REALLY detailed) plan of exactly what needs to change and how you can improve. Q.  How often should you get a risk assessment? A.  We recommend getting a risk assessment every year as a minimum. Some clinics prefer to do them quarterly in order to show improvement over time. Q.  How do you get a risk assessment? A.  Lucky for you these are one of our specialties. We have performed risk assessments for chiropractic offices, family practice clinics, and specialists such as cardiology and optometrist offices. Click here for more information or to sign up today. Q.  What exactly is included? (All the nitty-gritty details)
  1. The technology scan will:
    • Identify locations of ePHI and PHI
    • Report on vulnerabilities, threats, and possible impact if PHI is compromised
    • Detail how the data is protected while it moves - both inside and outside the clinic
    • Outline current protections and plans for improvement
    • Provide technology reports such as access lists, users, shared folders, PC’s and servers, file scans, and more
  2. The HIPAA Facility Survey consists of:
    • Gathering a list of crucial facility questions
    • Walking through each clinic site to identify physical security measures and user-based controls
    • Taking before and after pictures of compliance changes
  3. Your HIPAA Management Plan will:
    • Grade your security risks
    • Create specific plans for improvement
    • Show how you have followed through with your plans

 

2. Policy Manual

Q.  What is a policy manual? A.  If an HHS audit occurs, you’ll need to immediately provide your HIPAA policies and procedures. These spell out both what you do (policies) and how you do it (procedures). These are what are included in your policy manual. Your policy manual should closely follow industry best practices, but should also be customized and simplified to your situation. Q.  How often should your policy manual be updated? A.  The easiest time to create (or update) your policy manual is during each annual risk assessment. Q.  How do you get a policy manual? A.  We will create and update your policy manual during each risk assessment. We do this by (1) beginning with industry best practices and (2) customizing the policies and procedures to fit your clinic’s environment.

 

3. Continual Improvements

Q.  Why are continual improvements important? A.  The first two phases take a lot of time and effort and can last several months. When they are complete, your clinic could pass a HIPAA audit by HHS. But in order to stay secure and compliant and pass audits in future years, your clinic needs to be continually improving their standards. Q.  What is the best approach for making these improvements? A.  Your clinic always needs to be able to prove compliance and show they are following their customized HIPAA Management Plan. This is done by keeping an Evidence Report up-to-date and reviewing it during each annual Risk Assessment. Some typical data included in an evidence report is:
  • Simplified technology “quick-scans” (recommended quarterly)
  • User & computer lists
  • Security access details including login data and event logs
  • Other supporting worksheets and relevant information such as patch logs
  • Documentation from previous six years
  • Review clinic’s recent HIPAA-related changes
  • Track progress
  • Ongoing employee training
  Adhering to these three phases will guarantee that your clinic is free from fines and compliant with HIPAA standards. Equinox can help you with each step. To get started and learn more click here.  

Posted in: Protection, Security, Tech Tips


Cal. Civ. Code § 1798.102 - Do Not Sell My Personal Information