When it comes to complying with the HIPAA Security and Omnibus Rules, there is a lot of confusion as to what needs to be done. And if you look at the amount of work it can be overwhelming; security risk assessment, employee training, policies and procedures, business associates, breach notification, encryption, disaster recovery to name just a few of what needs to be in place.
We have prospective clients that come to us and say:
I need encrypt my laptop to comply with HIPAA
I always smile when I hear that. While there is no argument that encrypting laptops, smartphones, and USB drives will help protect patient information, encryption should be implemented in the context of a total strategy to protect patient information.
Step by Step Process
We always make it clear that to comply with HIPAA regulations and to protect patient information it is important to follow a structured process. This is the process that we recommend:
Perform a security risk assessment (SRA)
Where is patient information?
A SRA will help an organization understand where patient information is. It is not only in your EHR but could be in documents, spreadsheets, billing systems, email, smartphones, USB drives, diagnostic equipment, digital x-rays, transcription systems, backup devices, stored on business associate’s systems, etc.
How is patient information being protected?
A SRA will look at how these systems are currently being protected. What policies and procedures are in place? What security has been implemented? What redundancy and controls to ensure that patient information remains accessible? What process or mechanisms are in place to prevent or detect unauthorized access to patient information?
Analyze threats to patient information
A SRA will look at threats that could put patient information in jeopardy such as a lost laptop, fire or flood, hacker accessing your systems, employees stealing data to name a few.
Recommend additional security
A SRA will recommend additional security to further protect patient information. Security may be policies, procedures, training, network security, system redundancy, encryption, etc.
Implement policies and procedures
The next step after a SRA is to implement the appropriate security policies and procedures. Some of the policies and procedures might include a workstation use policy which informs employees what they should or shouldn’t do with patient information; such as not posting patient information on Facebook or social media. Policies might include reviewing system activity to ensure that access to patient information is appropriate. Procedures might include data backup to ensure patient information is protected or a termination procedure to ensure that terminated employees do not access patient information. Other policies might include a breach notification policy and procedure that an organization will follow in the event of a data breach or a policy that ensures business associates are properly protecting patient information.
Training
Employees should be trained on the organization’s policies and procedures. They should understand the risks to patient information and how they should protect patient information. They should understand what is expected of them. They should know that they could be sanctioned (up to losing their job) if they violate an organization’s policies.
Technology
The SRA will identify additional security which might include additional network or data security. This is where encryption should be evaluated. Other technology that might be evaluated is a disaster recovery plan that will enable access to patient information in the event of a disaster (fire, flood, hurricane, tornado, etc.). The SRA will help guide an organization to what additional technology should be evaluated.
Go back to the beginning and start again
A key point is realizing that once you do each of these steps you are still not done. HIPAA is an ongoing process. The process is called a risk management process. That means that an organization should be doing periodic SRAs, implementing additional policies and procedures, implementing additional patient information security and technology. And continuously training their employees on how they should be protecting patient information.
There is no hard and fast rule that the steps need to be in the order defined above. Can an organization implement encryption before they train their employees? Absolutely! The steps defined above are a general guideline. With that said, it is highly recommended to start with the SRA. That will help guide the organization and show them where they need to focus on. HIPAA can be overwhelming but if an organization takes the step by step approach to complying with the regulations and to protecting patient information it can be a much simpler process.
[framed_box bgColor=”#ffd390″]HIPAA audits are coming
are you ready?
(Click on the links below for more information)
Covered Entities
Business Associates
- Are you a Business Associate?
- Have you performed a Security Risk Assessment?
- Do you have written policies and procedures on how to protect patient information?
- Do you have an incident response plan?
- Do you have Business Associate Agreements with your subcontractors?
- Have you provided HIPAA security training for all employees?
Now is the time to get ready for the
HIPAA permanent audit program!
Contact us if you have questions, concerns or need help with HIPAA compliance
[/framed_box]
Leave a Reply