The first two parts of this series on HIPAA in 2022 examined regulatory updates related to interoperability and OpenNote, and privacy, patient rights and security. That’s a lot to get your arms around during these challenging times.
You may feel overwhelmed and ask yourself how to keep up-to-date on all of this year’s changes, and how to start to ensure that my practice is in full HIPAA compliance? This is perfectly understandable!
Here are five tips to help you adapt to the rapidly changing HIPAA regulatory landscape, and mitigate the risk of penalties for noncompliance:
Chase the knowledge
Seek out reliable, accurate information. Do you know if your “go-to” compliance source has read and thoroughly understands the latest regulations and guidelines? It might be wise to consult with a qualified consultant or healthcare attorney, as well as your software vendor about the Cures Act requirements and any applicable exemptions. Granted, learning about new dental materials or the latest digital technology is much more exciting, yet savvy practice owners must also fully understand their legal regulator responsibilities.
Evaluate your compliance status
Take time to review your HIPAA compliance progress in light of these changes, as well as pending changes. Remember, your policies and procedures should reflect your office processes as well as fulfill the specific requirements of any given regulation. Hand-me-down policies from the previous practice owner do not reflect a good-faith compliance effort. Neither does an uncustomized fill-in-the blank manual sitting on a shelf. Don’t be afraid to jump right in and read your Privacy and Security policies. Regulators expect to see that you’ve conducted an annual policy review along with making any updates as needed.
Budget for compliance. Merely checking a box for free compliance training doesn’t fulfill all your regulatory obligations. All regulatory bodies (OSHA, HIPAA, state regulators) expect an active effort that includes ongoing compliance tasks—not a one-and-done annual training.
Take HIPAA security, for example. Does your IT partner actively monitor your network for hacking? Are you confident you could restore your data if it were compromised with ransomware? Perhaps now is the time to ask your IT partner to restore a few backup files for peace of mind. Ensuring this level of preparedness requires experience, time, and financial resources. If your team doesn’t have the time or the expertise, it’s even more important to budget for expert assistance.
Conduct a credible Security Risk Analysis (SRA)
This may be one of the most misunderstood requirements of the Security Rule, yet it’s been in effect since April 20, 2005. According to the Rule, an SRA should be conducted on a regular basis (i.e, at least annually) and whenever major changes occur within your office (e.g., acquisition or merger with another practice, new technology is implemented or when key employees are allowed to work remotely).
The Security Rule does not proscribe a specific risk analysis or risk management methodology. However, we do know from Office of Civil Rights (OCR) guidance that an SRA must contain these core elements at a minimum:
- Identify and document potential threats and vulnerabilities
- Assess current security measures
- Determine the likelihood and impact of threat occurrence
- Determine the level of risk
- Identify security measures and develop a risk mitigation plan
Your IT partner can assist you in gathering some of the technology data; however, it may be viewed as a conflict of interest if they conduct the full assessment. As well, they are not able to assess your entire practice from the administrative requirements of the Security Rule. Prefer not to tackle this alone? HealthIT.gov in conjunction with the OCR offers a free assessment tool. Or if you find that too overwhelming, you can consult with a qualified consultant or healthcare attorney to get started on the right track.
Make time for compliance work
Similar to blocking out time for patient emergencies, make time—even short windows of time—to work on compliance. Ultimately, you are legally responsible for the privacy and security of your patient data. Plus, your compliance coordinators will be very thankful for snippets of time to keep up with compliance tasks.
Winston Churchill once said, “Let our advance worrying become advance thinking and planning.” Instead of wondering or worrying whether you’re HIPAA compliant, schedule time for compliance planning and tasks.