Keeping your patients’ healthcare information protected is critical, especially with cybercriminals and phishing campaigns becoming more sophisticated. A shocking 77 percent of healthcare organizations have been breached with nearly half of them dealing with a breach just within the past year. Protected health information (PHI) is worth a lot – where a hacker may get pennies for your social security number or credit card information, an electronic medical health record (EHF) can bring in hundreds to thousands of dollars. A patient’s insurance information can be used to do things like make a doctor’s appointment to get a prescription, purchase devices or submit false claims.
You should be conducting a HIPAA risk assessment every year, but what should you be doing directly after that assessment? And, do you have the skills and expertise to prevent or resolve HIPAA-related problems?
Tackling the most pressing HIPAA requirements first
Healthcare practices understand that they always have to be making progress toward full and up-to-date HIPAA compliance. Since it’s difficult to get everything up to speed at one time, though, especially for businesses on the small size, it’s important to know which battles you must pick now and which ones you can leave until later. Once you know which HIPAA compliance goals to tackle ASAP, you can push to get them included in the budget.
One of the biggest mistakes practices make in regard to HIPAA compliance is not properly prioritizing items. Compliance requirements can be broad, and they become even more confusing if they’re not broken down and prioritized in the best way for the situation at hand.
Wondering how to handle the next HIPAA-related situation that arises? Follow these steps.
- Appoint a security officer you can count on. Their primary role will be tackling the situation which includes observing, reporting and responding to problems, but they will also have the job of preventing issues before they arise. The best security officers are adept at communication, too, and will be able to communicate clearly and efficiently especially in the midst of handling an issue.
- Focus on the PHI, considering everything from how it flows through your organization to who has access and how that access is both controlled and audited. This will include operational procedures, such as how your employees protect PHI, which starts with the proper training (and may require additional or reminder training for long-standing employees).
- Identify your HIPAA Business Associates (entities or individuals who use PHI on behalf of your practice) and make sure they’re following the same level of requirements as your practice by having them perform and provide the results of a HIPAA assessment. Your HIPAA Business Associates should be held accountable when it comes to compliance – if there’s a breach, you’ll be fined, including your data entry contractors, IT providers and anyone who could have potentially accessed the PHI.
- Use the HIPAA assessment to create a roadmap and an actionable plan for improving and/or maintaining your security. Remember, you’re probably not going to be able to achieve everything at once, so you’ll need a prioritized list for handling the most important gaps in Business Associate compliance, IT infrastructure and HIPAA compliance processes.
Practices of all sizes can outsource cybersecurity
If you don’t have a full-service IT staff on hand, you’ll need to turn to an outside provider to bring in the necessary security resources, including consulting. Or, maybe yours is a multi location practice with a robust IT team, but you still need to farm out certain functions to stay on top of all areas of HIPAA compliance. Large companies may find it beneficial to work with an external consultant or provider, too, mainly for helping with benchmarking your capabilities or getting an outsider’s insight regarding your compliance program.
Consider partnering with a provider who works with hospitals in your area to audit, improve and maintain your HIPAA compliance when it comes to documentation, IT infrastructure, security awareness training, and ongoing auditing and reporting. The staff at Deerwood Technologies has years of experience in a variety of business and regulatory domains, including FBI information security, PCI/DSS and healthcare standards. We help clients develop a strategy and timetable with prioritized phases so they can be on their way to reducing HIPAA compliance concerns and preparing themselves for an audit.
Contact us if you need help getting your practice in line with HIPAA requirements.