By Diane Evans
Overall, it’s fair to say HIPAA regulations are confusing. One way to simplify the requirements is by focusing on the high-level objectives. When you know what you want to achieve, it’s easier to figure out a tactical approach.
Here are some points to consider:
There are two foundational pieces of a program to protect confidential information across departments:
A policy manual that covers all requirements under HIPAA, and that broadly states ground-level procedures in place that align with policies.
A documented, enterprise-wide risk assessment that involves mapping and inventory of all places where data is maintained, created, received or transmitted. Remediation plans are then developed, with priority placed on risks likely to create the most disruption.
In the case of policies, procedures and risk assessment, management-level responsibilities are ongoing through periodic policy reviews, risk mitigation efforts and security improvements.
Separately, other processes must be in place as well, such as:
Well-communicated protocols for how to report suspicious activity or an actual breach;
Procedures for handling medical records requests by individuals you serve, or their legal representatives;
A plan for holding all third parties accountable through Business Associate Agreements (BAAs), in all cases where an outsider has potential access to confidential information for which your organization is responsible. As a best practice, the BAAs should be detailed enough to demonstrate that your organization is satisfied with security measures in place.
Keep in mind, HIPAA primarily sets base-level standards for maintaining privacy and data security across an organization. More than half the regulations relate to administrative duties.
About the author
Diane Evans is founder of Guarded Edge, which offers training and an in-house implementation plan for compliance with the Health Insurance Portability and Accountability Act (HIPAA) within long-term care. Diane can be reached at devans@guardededge.com. She has offered accredited training for state and national organizations, including the Health Care Compliance Association and the Cleveland Metropolitan Bar Association.
Comments