HIPAA Compliance Best Practices

HIPAA Documentation

If documentation is done correctly, it can create a baseline security standard for every process, workforce member, and system at your organization.

Without a recorded comparison of last year’s security plan, your future efforts become much more difficult.

Here are three reasons to keep proper documentation:

1. Future compliance: If you document your HIPAA compliance efforts this year, you’re making next year’s job that much easier. This turns into less overall stress for you and your team because updating existing documentation is much easier than starting from scratch.
2. Business continuity: If you change your job or role, documentation will give your successor a great view into the environment.
3. HHS: If HHS sends you an audit notification, proper documentation will show your compliance efforts. If you can demonstrate how you’re working toward HIPAA compliance in your documentation, they will likely be more lenient.

Remember to make sure you’re actually implementing the policies you document. If you haven’t implemented anything in your documentation, this is a major detriment to you, your PHI, and your organization.

A large part of your HIPAA compliance process and effort should be spent on documentation.

Meet HIPAA Documentation Requirements

Many organizations are confused about what exactly they should document and how they should document it. Generally speaking, you should record the who, what, when, where, how, and why of everything related to PHI in your environment. Documentation should demonstrate in writing where you are today, where you’ve progressed over the years, and what your plan is for the future.

Your documentation should answer questions like:

• What is your security stance in general?
• What are your risks and vulnerabilities?
• How secure are your workstations?
• Do your workforce members understand how to safeguard PHI?
• What is the state of your location’s physical security?
• How does BYOD factor into your security strategy?
• What have you learned during your HIPAA compliance process?
• Who are the responsible parties?
• How are systems configured?
• What are your authorization and approval processes?

To answer these broad questions, dive into the detailed answers of more specific and technical questions, such as:

• Who holds your encryption keys, and how do you secure them? Where are encryption keys stored? What are those key holder’s responsibilities and role-based access level?
• Who has access to your firewalls? How are your firewalls configured? Which systems do your firewalls surround? Are your firewalls up to date? Do you have a change control process?
• Do you use FTP or SFTP? How is it configured? Do you have vendor documentation for SFTP?
• What are the roles and responsibilities of those that impact your PHI environment’s security? Do you have this information detailed for daily, weekly, monthly, quarterly, and yearly tasks (where applicable)?

Update Your HIPAA Documentation

The biggest disservice you could do while meeting HIPAA documentation requirements is to spend weeks gathering paperwork, and then place it on a shelf until next year. HIPAA documentation is only as useful as it is accurate.

Just like all of your other weekly activities, documentation should be an ongoing part of your entire business-as-usual security strategy.

Try to examine and adjust at least one piece of documentation each week or as you make organizational updates. Don’t pile it into one day or one month at the end of the year.

HIPAA Training

Workforce members are often considered the weakest link in PHI security and HIPAA compliance by most security professionals. If you don’t give your workforce specific rules and training, they won’t be able to keep up with constantly changing security best practices and secure PHI. Plus, if employees are trained only once, they might forget policies and procedures.

Consistent workforce training and education will remind them that both privacy and security are important, and it will show them how to create good security habits.

You should train your staff regularly (e.g., monthly). Training doesn’t have to be lengthy and detailed. You can break up training into monthly small and simple trainings (e.g., 20 minute presentations), making it easier to remember and implement procedures. For example, consider having specific training about the following topics:

• Social media compliance
• Password management
• Acceptable uses and disclosures
• Social engineering
• Phishing emails
• Physical security (e.g., workstations, active and passivemedical devices)
• Disposal of data, media, and equipment

Social media use has become even more prevalent. If employees irresponsibly use social media, their actions can easily lead to serious HIPAA violations. Make sure staff understand the consequences of not following your HIPAA policies.

As you set up your training plan, consider the following tips:

• Provide training as a mandatory part of new hire orientation
• Require regular training with all staff members–annual training isn’t enough
• Add security and compliance training to internal communications (e.g., newsletters, bulletin boards, emails).
• Keep a repository of policies and procedures (keep these updated and inform staff of updates)
• Develop a verification process to ensure training completion
• Document dates and times when workforce memberscomplete their training
• Evaluate your training program effectiveness each quarter
• Reduce costs by making training part of yourcomprehensive educational program

In addition to your training plan, make sure you have and follow appropriate sanctions for workforce members that do not comply with your policies and procedures.

HIPAA Audit

Third party HIPAA assessors are not your enemy; they want to help you make your organization more secure for your workforce members and your patients. But if you aren’t prepared, a government-mandated audit can become a major challenge.

A HIPAA audit isn’t necessarily the result of a whistleblower or a possible HIPAA violation. It’s mainly for the Office of Civil Rights(OCR) to assess and gain an understanding of how healthcare providers are doing with HIPAA compliance, and to see if any changes need to be made.

There are a few reasons why your organization may be audited:

• Complaints: A customer, or even an employee can file a complaint with HHS, which may lead to an audit.
• Self-reported breach: If you’ve been breached, you have a much higher chance of being audited.
• At random: The OCR conducts random audits on organizations to see how healthcare entities are doing withHIPAA compliance.

All covered entities and their business associates are eligible for a HIPAA audit.

Conduct Internal Audits

Conducting audits within your organization can help you find resolvable problems in your security. It’s best to do internal audits periodically to find new issues that may appear.

Organizations should engage a third-party security expert to help with conducting a proper security assessment. A security assessor will have experience in HIPAA (and many other security mandates)and will be able to see your organization from an external view(which is what malicious attackers are doing).

If you have time, conducting an internal audit is a good idea to find and resolve any problems before your third-party onsite audit.

HIPAA Budget

The amount required to budget for HIPAA compliance depends on your organization. Here are a few variables that will factor into the cost of your overall compliance:

• Your organization type: Are you a hospital, business associate, electronic health information exchange (HIE),healthcare clearinghouse, or another type of healthcare provider? Each organization type will have varying amounts of PHI and varying risk levels.
• Your organization size: Typically, the larger an organization is, the more vulnerabilities it has. More workforce members, more programs, more processes, more computers, more PHI, and more departments mean higher HIPAA costs.
• Your organization’s culture: If data security is a top priority for upper management, increasing a security budget probably isn’t a major internal struggle. In other cases, management is very hesitant to dish out budgets to HIPAA; this is because they don’t understand their organization’s security liabilities.
• Your organization’s environment: There are many system aspects that can affect HIPAA compliance costs, such as the type of your medical devices, the brand(s) of your computers, the types of your firewalls, and the model(s) of your backend servers.
• Your organization’s dedicated HIPAA workforce: Even with a dedicated HIPAA team, organizations usually require outside assistance and consulting to help them meetHIPAA requirements.

Having the proper security budget protects not just your organization but your patients as well.

Keep in mind, this is far cheaper than paying for a data breach, which can amount to $180,000 to $8.3 million and above.

Conclusion

With over 20 years in the industry, we have found that these HIPAA compliance best practices are most helpful in securing your organization. For more detailed information on any of these topics, download our free HIPAA Guide.