We take chances every day, in the firm hope of a payoff, no matter how small.
But a breach of protected health information (PHI) or electronic protected health information (ePHI) could place your organization at risk for fines for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA).
Unlike some compliance requirements that only apply to the private sector, all public sector organizations are required to comply with HIPAA’s rules. In fact, HIPAA compliance may be even more critical for public entities given your standing in the communities you serve and the sensitivity of the information you store. With the increase in the number of remote workers, the ever-present threat of cybersecurity breaches, and, more recently, the privacy concerns around reproductive health, there are multiple reasons that reinforce the need for strong HIPAA compliance.
Three steps to creating a comprehensive HIPAA compliance program
1) Document your HIPAA policies and procedures
Your HIPAA policies and procedures act as the playbook for how your group health plan will comply with HIPAA’s requirements and, as such, will be one of the first things checked if audited by the Health and Human Services Office of Civil Rights.
These documents are highly customized to the way your organization operates. Privacy policies and procedures address when, how, and to whom disclosures of PHI are permitted and how to obtain authorizations to release protected health information. They also identify your team members with access to PHI and prescribe who should be trained.
The security policies and procedures describe how your organization will protect PHI and e-PHI from a workplace and system security perspective. They incorporate physical, technical, and administrative safeguards accounting for the measures your employees will take to secure the HIPAA data you collect, store, and disseminate while administering the group health plan.
Individual rights, business associate agreements, forms, and templates such as the Notice of Privacy Practices, Uses and Disclosures Tracking Form, and Breach Incident Reporting Forms, are all typical components of a thoroughly documented privacy policy and procedure.
2) Assess your risks – HIPAA’s required risk threat analysis
A risk analysis considers a range of threats but also provides a range of possible solutions.
It’s important to note that health plans and their business associate vendors with access to protected health information have a responsibility to conduct a thorough risk assessment.
To conduct a risk analysis, your organization must identify and inventory the locations where PHI and ePHI are stored. For example, there may be PHI in HRIS systems, email, various benefits administration systems, applications, physical storage locations, cloud servers, networks, and websites, to name a few.
Once inventoried, your team must weigh the likelihood/frequency, cost/impact, vulnerability, and mitigating controls of various types of natural, human, and environmental threats that may apply. High-risk threats should be mitigated through safeguards until the risk is lowered to an acceptable level. The risk analysis itself must be well documented and shared with all involved parties responsible for protecting PHI/ePHI.
3) Train your workforce – HIPAA’s training requirement
For sponsors of group health plans, HIPAA training is a requirement. Lack of training for employees exposed to PHI was identified as a primary area of concern in audit reviews conducted by the Office of Civil Rights. It’s critical to include HIPAA training during the onboarding of new employees with access to PHI. Attendance at all HIPAA training sessions should be documented, as these records can be requested during audits and investigations.
Training content must include “HIPAA basics” for those unfamiliar with the law, an overview of the privacy and security rules, including leading practices, and what steps to take in the event of a breach (including identification, notification, and additional tasks that may be necessary after a confirmed breach).
Of equal importance is to emphasize specific areas of concern within an organization and to update the content regularly to address new issues and threats along with leading practices to mitigate risk. Training should also capture when HHS issues new guidelines or rules and when there are changes in policies and procedures.
Keep diligent
In today’s environment, it’s crucial to develop sound policies and procedures, perform systems assessments, document the necessary risk/threat analysis, and train your workforce to fulfill the responsibilities associated with handling PHI.
Diligence is defined as a steady, earnest, and energetic effort, which is precisely what is called for when it comes to HIPAA compliance. Although not a small undertaking, following these steps will result in your organization being better prepared to address any of the challenges to the privacy and security of group health plan data that may lie ahead.