HIPAA compliance doesn’t have to be unmanageable.
To view this post in its original format, watch the How to Prioritize HIPAA Compliance webinar.
If you read part 1 of this series, I discuss the importance of starting a Risk Analysis as part of this 3-step prioritized approach that focuses on the Security Rule:
Now, let’s jump into the fun part: how are we going to deal with all the risks and vulnerabilities that we just found?
After you have analyzed your risk, you need to come up with a plan to become HIPAA compliant. You can do this on your own, or receive help from a security auditor (like me!) who is trained to craft the most straightforward and effective plan. A road map!
Need help crafting your Risk Management Plan? Send us a line.
In your Risk Management Plan, you need extensive documentation that shows you take sufficient security measures to reduce risks and vulnerabilities. Be sure to include the following:
You need to implement a risk strategy for every risk you identified in your Risk Analysis.
There are many different risk strategies that you can implement.
You need to document milestones, specifically your goals and achievements. What were your goals and when did you want to complete them? When did you achieve your goals?
See also: SecurityMetrics HIPAA Guide
While planning for the future, it’s important to note the parties who have and will continue to impact your risk in the future. Identifying and mitigating the risks associated with these groups will increase your security immensely.
Get a free HIPAA compliance dashboard demo.
Oftentimes, employees are not necessarily trying to be malicious (though it does occur). In many cases, employees’ actions that pose risk to your security are unintentional, well meaning, or negligent. These employees often do not know they cause a security breach.
Put controls in place so your employees aren’t allowed to hurt your data, systems, and business. For example:
See also: Social Engineering Training: What Your Employees Should Know
Ponemon Institute’s 2014 study shows only 30% of covered entities felt confident that their business associates were properly handling their PHI, which is a staggering statistic considering how important your business associate can be to your security. As that statistic clearly states, your business associates offer some of the greatest risks to you. They are definitely not all bad, but when you share data, you no longer have a way to control and safeguard that data.
According to the 2013 HIPAA Omnibus Rule, you need to have and update your Business Associate Agreements (BAA). You also should review all your vendors before contracting with them. A BAA does not relieve your liability and responsibility with HIPAA compliance.
Your IT guy is probably great and does many things for your organization, but he might not be trained in security. IT professionals all have a different subset of skills, just as an anesthesiologist and a cardiologist have specialties.
As a result, your systems may not be properly implemented, especially your firewall and remote access system. Usually, firewalls are configured to communicate to the other devices in your program, but some are configured to allow access in and out of your system that probably shouldn’t be allowed. Remote access systems are often set up incorrectly. Make sure your remote access is set up with two-factor authentication.
I would suggest you check up with your IT staff is making sure to update your systems and applications regularly, especially the following:
HIPAA compliance doesn’t have to be unmanageable. Break it up into manageable pieces. Start with small changes, such as designating a privacy and security officer, beginning your risk analysis, and outlining your specific plans for data security at your organization.
If you’re still overwhelmed, talk to a company like SecurityMetrics, who can assist you in a guided HIPAA compliance process.
Remember, your security matters.
.svg)
