Today, September 23, 2013, is the HIPAA Omnibus Final Rule Enforcement Deadline.
Remember: Once your HIPAA compliant foundation is in place, you need to maintain it. If you let it go it can become out-of-date quickly. What was a HIPAA compliant environment can quickly slip away. Staying HIPAA compliant takes some work, but it sure beats the pain of dealing with a breach investigation.
Here are a few simple things you can do to maintain a HIPAA compliant environment.
1. HIPAA Compliant Human Resource Department
Make sure HIPAA stays on the radar of your HR staff. Be sure that HIPAA training is on the checklist for all employees. The next time a new employee is hired, ask to see the evidence that the person was trained prior to being given access to patient data. If it was done, document it as part of your internal auditing program to stay HIPAA compliant. If it wasn’t done, make sure the new employee is quickly trained, and work with HR to prevent future issues.
2. HIPAA Compliant Employees
Audit your employees to make sure they are HIPAA compliant. Check work areas to ensure that passwords are not visible. Check their badges; under their mousepads and keyboard; on their wall and on their monitors. Check the documentation for the tasks they perform. Observe them while they do their jobs. Let everyone know you are looking and conduct random HIPAA audits regularly.
3. HIPAA Compliant Risk Analysis
Your HIPAA Risk Analysis is not a document to sit on a shelf forever. Being HIPAA compliant means you will review it at least once a year. Immediately document any significant changes, like moving to a new location, relocating IT equipment to a new data center; or implementing a new EHR system. If nothing changes in a year, just make a note, and sign and date it.
4. HIPAA Compliant Business Associates
A bigger challenge to being HIPAA compliant than your employees are your vendors—your Business Associate. People you have never met can cause a data breach that could cost you millions of dollars. Demand evidence that they are HIPAA compliant, and their subcontractors are HIPAA compliant. Don’t think that because they signed a Business Associate Agreement it automatically means they understand HIPAA and are really complying. Trust but Verify.
5. Scheduling HIPAA Compliant Management
How can you remember everything needed to be HIPAA compliant? Use your computer to schedule reminders to audit HR and your employees. Schedule a date just under a year from now to review your Risk Analysis. Schedule reviews of your Business Associates in your calendar. Start with the ones that are the biggest threat to you staying HIPAA compliant. These providers have access to a huge amounts of patient records that could be breached in seconds. If you believe that they, or their subcontractors are not HIPAA compliant, work with them briefly to ensure their compliance, or replace them. Anything else would be a data breach.
Need help with HIPAA compliance?
Kentucky REC’s AHIMA certified specialists will conduct a risk analysis to evaluate your organization’s compliance with the HIPAA Security Rule standards and implementation specifications.
To learn how our HIPAA Privacy and Security experts can help you, contact us at 1-888-KY-REC-EHR.