HIPAA COMPLIANCE AND SAFEGUARDS
Attempting to become, and remain, HIPAA compliant can be daunting and more than a bit confusing. HIPAA requires all relevant businesses to implement the appropriate safeguards to ensure that their customer’s electronic protected health information (ePHI) is kept confidential and secure.
There are three parts to the HIPAA Security Rule:
1. Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards
Each set of safeguards is complicated in its own right. However, broken down into sensible pieces, it’s apparent that they are not as daunting as they initially appear.
In this article, we’ll take a look at the administrative safeguards associated with HIPAA. These safeguards can, for the most part, be easily implemented at your office today.
The administrative safeguards associated with HIPAA are a collection of policies and procedures that concern the conduct of your workforce, along with the security measures you will need to put in place to protect your customer’s ePHI.
The components include assigning a privacy officer, completing an annual risk assessment, ensuring employee training, and executing the required agreements with all partners who might be handling ePHI.
When we look at them closer, administrative safeguards consist of these specific elements:
1. Security Management Process
2. Assigned Security Responsibility
3. Workforce Security
4. Information Access Management
5. Security Awareness and Training
6. Security Incident Procedures
7. Contingency Plan
To properly implement these administrative safeguards, there are several steps to undertake.
Security Management Process – Includes both risk analysis and risk management. Use risk analysis to see where your ePHI is being used and stored and try to forecast all the ways that could violate HIPAA. Risk management means implementing measures that will reduce the potential of HIPAA violations. Security management should include regular IT system activity reviews and ePHI access logs.
Assign Security Responsibility – At least one HIPAA “security and privacy officer” should be assigned and adequately trained within each office.
Workforce Security – Implement procedures to authorize and supervise employees who work with ePHI, and ensure that an employee’s access to ePHI ends when their employer does.
Information Access Management – Ensure that ePHI is not accessible by unauthorized outside entities (subcontractors). Implement a standardized policy for authorizing external entities that will have access to ePHI.
Security Awareness and Training – Ensure that there are procedures for employees to follow when creating and changing their system passwords. Institute a way to monitor and report employee login activity and periodically send employees reminders about security and privacy policies.
Security Incident Procedures – Develop a standardized way to document and respond to security incidents.
Contingency Plan – Develop solid business continuity plans that can continue necessary business functions in case of emergency, accessible backups of ePHI data, and the ability to restore it if lost. Periodically test these plans and revise them as necessary.
Evaluations – Because your business procedures, technology requirements, and workforce are continually changing, evaluate and update your HIPAA compliance procedures regularly.