In 2016 we will see more HIPAA audits and increased HIPAA fines. In 2015, there were 10 times more audits than in the last 10 years combined and currently, 70% of healthcare organizations would fail an audit. This article in Healthcare IT News is an indication of what’s coming.
Here are the 6 Steps to avoid HIPAA fines.
Most Common Mistakes
The two most common mistakes a practice makes in becoming HIPAA compliant is:
- thinking that a risk analysis is enough
- having an insufficient set of written policies
The rules put forth by the government to comply with HIPAA laws are complex and all of them need to be addressed.
What does the HIPAA law require?
The HIPAA Privacy regulations require healthcare providers and their business associates to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. What does that look like?
- Risk Analysis (the discovery of deficiencies that a practice has in relation to the HIPAA Privacy and Security Rule),
- Risk Management (the remediation of the deficient items),
- Policies and procedures addressing each section of the Privacy and Security Rule,
- Vendor management (making sure proper Business Associate Agreements and assurances that the Business Associate is complying with the HIPAA Security Rule are in place)
- the staff has attested to each privacy and security policy and they have taken a HIPAA 101 training course and successfully attest they understand the basics of HIPAA
How to Avoid HIPAA Fines?
The best way to avoid being fined by an auditor is to show due diligence. What is that? It is making a good faith effort in complying with the rules, documenting all findings, and being able to show anyone your compliance plan and efforts.
Detailed HIPAA fines or penalties can be found at the American Medical Association.
The 6 Steps:
- You must have a risk analysis that audits you for administrative risk (policies and procedures), technical risk (how are you safeguarding the access to and protection of ePHI that resides on your systems), and physical risk (assessing how you are protecting the data within the four walls of your site or sites.
- You must remediate (fix) all deficiencies that were found during the risk analysis and document what you did to resolve the deficiency.
- You must have policies and procedures covering all aspects of HIPAA Privacy and Security and HITECH (breach notification).
- You must educate your staff with training and track their attestation that they understand all the new policies and procedures you have put into place to safeguard protected health information.
- You must identify your business associates (BA) and make sure you
have up to date BA agreements in place. If possible get assurances the BA you share data with is complying with the HIPAA Security Rule.
- Finally you need to create a culture of compliance that everyone takes HIPAA and safeguarding ePHI to a different level of protection.
Contact us at 404-865-1289 if your healthcare organization needs a risk assessment or compliance support. Some information courtesy of The Compliancy Group.