By Sheryl J. Cherico, CEO
Are you HIPAA compliant? Do you know if you are HIPAA complaint? Does having a Security Risk Assessment make you HIPAA complaint?
If I had to guess what question I am asked the most, it’s “how do I know if I am HIPAA compliant?” This may sound like an easy answer, but actually, it’s not. There are many pieces that make up full HIPAA compliance, and it is a never ending process that changes with your employees, your practice, and your overall way of doing business.
The first step to becoming compliant, is to have a HIPAA security risk assessment performed. I am finding that there is a misconception that if someone has had a security risk assessment, then they are automatically HIPAA compliant. This is just the beginning. This is where you start to get your compliance in order. A security risk assessment is a series of required and addressable specifications that all practices will need to meet. If you don’t know what they are, then how would you know if you were meeting them? Having a security risk assessment performed is a very good start to getting your compliance in order.
Once you have your security risk assessment performed, you should be given a list or matrix of some sort letting you know what areas you need to improve on. This is where you start to work on putting together policies and procedures to document and outline required and addressable specifications in your practice. For example: What is your Sanction policy? Meaning…what happens when and employee causes some sort of HIPAA breach (large or small)? Depending on the breach, do you re-train, do you counsel, do you give written warnings, do you terminate? These are things you need to have documented in your practice. HIPAA requires anywhere from 48-70 required or addressable policies and procedures, depending on what is applicable in your practice. You can write these yourself, purchase them via various templates, or have someone prepare them for you. However you choose to have them, you should get started on them if you haven’t already.
After your policies and procedures are in order, you want to look at your existing network. Do you have proper back-ups and how often do you test them? Are your laptops and mobile devices encrypted? Do you have firewall protection? Can people access your network from the outside? Do you have intrusion protection? Is your wireless network secured, and so on? A good company that provides security risk assessments should be able to run some tools that can give them good information on your existing network. Once the network has been assessed, you can get a good handle on the “state of the network” and begin taking measures to secure any holes that the security risk assessment uncovers.
Training – you have all these policies and procedures documented, and you have all the holes covered up in your network, but no one knows about them. That’s where training comes in. We have to tell the staff “you can no longer put a sticky note on your computer that has your password on it.” Or, “you cannot share network logins anymore”. In some cases, the staff will find HIPAA very inconvenient. They don’t want to change passwords, and have unique logins. In the end, it is for their own protection.
So now you have everything completed. You have the policies, you have the network documentation and you have trained your staff. Are you compliant? I would say yes…but for TODAY. You have to STAY HIPAA compliant. How does that happen? By continuing what you started. For example, if you have a new employee, that employee should receive some sort of HIPAA training. They need to know about HIPAA and how your office handles various required measures. Another example is you switch IT companies. You now have to make sure THEY are HIPAA compliant, and they need to give you a Business Associate Agreement.
In short, being HIPAA compliant is a never ending task. This doesn’t mean it’s bad or unattainable. Personally, I think it forces “best practices”, and it’s a good way of doing business, and keeping you network, your employees and your patients secure. If you have to ask yourself, “Am I HIPAA compliant?” You just may not be.
Tier3MD is an IT support group for medical practices