Four easy steps to address the HIPAA elephant in 2019

This is Heather, the HIPAA elephant, because we know that HIPAA can feel like an elephant. How do you tackle Heather, the HIPAA elephant? One bite at a time!

HIPAA fines are up. Audits by the Department of Health and Human Services are up. 2019 is shaping up to be a rather tumultuous and dangerous year for healthcare providers as they ramp up to address their HIPAA privacy obligations.

Here are four steps to FAIL your next HIPAA audit.

And here are four steps to start out ahead this year….

1. Do SOMETHING.

There are so many different ways to start tackling another aspect of HIPAA. Are you wanting to make some headway in implementing technical safeguards? Great! Two-factor authentication. What about administrative safeguards? Awesome. Update your workforce sanctions policy and make sure it’s realistic. What about physical safeguards? Get those contingency operations plans updated. Whatever you decide to do, you’ll have to start somewhere.

“When eating an elephant take one bite at a time.”

Creighton Williams Abrams Jr.

I never said that eating the HIPAA elephant was going to be easy. But since you have to, you might as well start with one bite at a time. Approach HIPAA like you would an elephant and you’ll be surprised at just how much you can accomplish in a short period of time.

2. Business Associate Agreements

I’ve seen a lot of embarrassingly insufficient business associate agreements (BAA). As a recap, a “business associate” is likely a vendor to a healthcare provider, other than a member of the workforce of a covered entity, who provides certain services to a covered entity. Remember, this service directly involves access by the business associate to protected health information (PHI).

Among other confusing relationships that can exist between entities, a covered entity can be a business associate to another covered entity.

As part of your approach to HIPAA in 2019, perhaps it’s time to evaluate the relationship between yourself and your vendors, or between yourself and your clients. Are you a covered entity? Are you a business associate? Do you have business associates?

Once you’ve done some review of those relationships and you’ve identified all your vendors and business associates, it’s time to review those business associate agreements.

There are ten critical terms that must be addressed in these contracts. Find out more about these ten terms here: Requirements of a Business Associate Agreement (BAA).

3. Policies, Procedures and Internal Operations

Cookie cutter policies aren’t going to cut it. In this industry, so highly regulated by HHS, it’s highly unlikely that you’ll get away with taking any shortcuts. Let’s tackle your policies and procedures and how they relate to the realistic operations of your organization.

Are they accurate? I mean, do your policies accurately reflect how your workforce carries out their day-to-day operations? If you’re documenting in your policies that your workforce implements rigorous access revocation procedures upon employee termination, but this isn’t being practiced regularly by your IT staff, that’s not good. You’re saying that you’re doing this, but if that can’t be proven and is likely to be disproved by the dozens of former employee accounts that haven’t been deactivated, HHS will certainly have a field day. At your expense.

Don’t let that happen. Get on top of your policies and procedures. Make sure they’re honest and truthful. Maybe it’s time to actually change some operations and procedures to better protect patient privacy. Maybe you’ll learn something about your own organization. It’s another bite you can take out of the HIPAA elephant. It’s getting smaller!

4. Risk Assessment

Calling in the experts can be totally nerve-racking. You’re inviting others into the sensitive operations of your organization, exposing your internal practices to a stranger. We’re not the bad guys. We’re here to help you.

Updating your risk assessment can give you invaluable insight into modern best-practices that you weren’t aware of. It can make you aware of problematic business operations that really ought to be corrected and streamlined.

And best of all, you’ll get a great plan for continuous improvement: a plan consisting of the best actionable steps you can take to make the most impact in mitigating risk at your organization.

Don’t forget, HIPAA compliance starts with a risk assessment.

“When eating the HIPAA elephant, take one bite at a time.”

Patrick Brenner

Take action. Put yourself at ease and get started. Together, we can minimize your exposure to HIPAA and make 2019 a bad revenue year for HHS.