Data breaches are on the rise, and your awareness about becoming and staying HIPAA compliant likely are, too. In its half-yearly report, ITRC (Interstate Technology & Regulatory Council) calculated that 791 U.S. data breaches have already been reported in 2017 from January 1 to June 30, marking a 29% increase year over year.1 And with the rise of ransomware ever growing, keeping clients’ Protected Health Information (PHI) safe is a bigger job than ever.
The laws behind HIPAA require a lot of legwork on your part. We know how much you need to do to make sure your organization doesn’t experience a breach or isn’t slapped with a costly fine – the challenge can be overwhelming. This week, Total HIPAA reviews your yearly HIPAA obligations. You’ll need to perform these tasks whether you’re a Covered Entity, a Business Associate, or a Subcontractor of a Business Associate. Note that some obligations have a specific date or time requirements, while the others can be performed annually at your discretion.
Complete a Current Risk Assessment
A Risk Assessment is required for Covered Entities, Business Associates, and Business Associate Subcontractors. A Risk Assessment is the first step of the Risk Management process; it lays the foundation for a detailed understanding of the risks to the confidentiality, integrity, and availability of ePHI and collects the information needed to establish the administrative, physical, and technical safeguards HIPAA requires be included in the Privacy and Security Policies and Procedures.
How often you should perform a Risk Assessment depends on the size and complexity of the organization. Larger companies may need to administer one each year. You’ll also want to complete one when major changes occur to your organization.
Complete a Risk Assessment when you:
- Experience a security incident
- Have a change in ownership
- Turnover of key management
- Adopt new technology or software
Review and Update Security and Privacy Policies and Procedures Documentation
A document outlining your company’s security and privacy policies and procedures is a HIPAA requirement. Follow these rules for compliance with your policies and procedures:
- Keep policies and procedures documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later. Six years is the minimum amount of time to keep the documents; some state laws require you to keep them longer.
- Announce where employees can find copies of your policies and procedures (hardcopy manuals and/or electronic access)
- Review documentation periodically and “update it as needed, in response to environmental or operational changes affecting the security of the electronic PHI.”2
Carefully review and update (if necessary) policies and procedures regarding the workstations in your organization. Your organization’s policies and procedures should include information about:
- Restricting the use of workstations that have access to ePHI
- Governing how functions are to be performed on the workstations
At least once a year, you should make sure that employees are following the password guidelines in your policies and procedures. Each employee must change their passwords according to your schedule. This is a good time for employees to evaluate whether the password could have been compromised and/or if it needs to be strengthened. How often you change your passwords may vary based on numbers of employees and whether a password management program is used. In addition, review your applications and require two-factor authentication for any that store ePHI.
Sanction Policies Review
Sanction policies are another aspect of your policies and procedures that need attention. HIPAA requires Covered Entities and Business Associates to have and apply sanctions when employees violate your policies. It’s a good idea to have your employees review your sanction policies on a yearly basis and sign an acknowledgment that they have reviewed them. As your company and your use of technology grow, you should also annually review each sanction to make sure each one is still a good fit for your company.
Disaster Recovery Plan Review
Your Disaster Recovery Plan should include any event that compromises your information systems and, as a result, substantially interferes with the operations of your business. You should review your Disaster Recovery Plan annually and when any of the following occur:
- Fire, flood, or other natural disasters
- Hardware failure of critical elements (servers)
- Software failures
- Chemical/radiation hazard
- Sabotage, including any type of cyber attack
Data Backup Plan
A good Data Backup plan is imperative to keeping data safe, secure, and ready to use across any number of computing devices used daily. You should review your data backup plan anytime you add or remove a technical device, as its addition or absence could impact the integrity of your plan.
Who must be trained?
HIPAA requires that Covered Entities, Business Associates, and Business Associate Subcontractors provide HIPAA training to members of their workforce who handle PHI or could come in contact with PHI. All employees – regardless of whether they come in contact with PHI – should be trained on your company’s specific policies and procedures.
What topics are covered in training?
There are two types of HIPAA training you must provide annually to your employees:
- Training on the HIPAA law
- Training on your policies and procedures
Training on HIPAA law
The common and important HIPAA privacy topics to train about include:
- Identifying PHI
- Understanding the minimum necessary rule
- When and how PHI may be disclosed
- The importance of confidentiality
- Avoid snooping
- The need to keep an accounting of disclosures
- Sanction policies
Your security training should specify, per employee or job position, the proper functions to be performed and the manner in which those functions are to be performed.
At the minimum, security training should include:
- Managing malicious software (e.g. viruses, ransomware)
- Using workstation(s) securely
- Managing passwords and
- Monitoring and reporting suspicious use of account(s)
- Encryption Management
- Email Encryption
- Data/Document Encryption
- Two-factor authentication for mobile devices
Training on Your Policies and Procedures
In addition to HIPAA law training, your employees also need to understand your own company’s policies and procedures and how they enforce HIPAA compliance. If there is an open workspace, all employees – even if they don’t need to touch PHI to complete their job – should be trained on these policies and procedures.This protects your company from employee-generated breaches. Any new employee must be trained as soon as possible, and you also must retrain your employees when any change occurs to your policies.
Business Associate Agreement (BAA) and Subcontractor Agreements Review
Does your organization employ Business Associates like IT, transcription services, coding and billing, consultants, collection agencies, or shredding companies? Any Business Associate that comes into contact with PHI must sign a Business Associate Agreement. HIPAA law requires that you, as a Covered Entity, keep it on file. The same goes for a Business Associate Subcontractor.
It’s very important to review the latest BAA each Business Associate has signed with your company. If the most current BAA you have on file with a vendor is signed on or before September 22, 2014, you should immediately amend or replace this BAA and have a vendor sign a new BAA that complies with Omnibus Rule requirements.
The U.S. Department of Health and Human Services (HHS) defines a breach as “generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”3 The HIPAA Breach Notification Rule requires Covered Entities to notify affected individuals, HHS, and in some cases, the media, of a breach of unsecured PHI. The Breach Notification Rule also requires Business Associates of Covered Entities to notify the Covered Entity of breaches at or by the Business Associate.
When Do I Report a Breach?
HIPAA law requires that all breaches are reported to HHS. The type of breach dictates when you have to report it:
- Breaches with less than 500 individuals affected must be reported by February 1st of each year
- Breaches with more than 500 individuals affected must be reported within 60 days of discovery
Who Must Report a Breach?
Covered Entities must notify affected individuals following the discovery of a breach of unsecured PHI. Business Associates must notify Covered Entities if a breach occurs at or by the Business Associate or a Subcontractor. If there is imminent danger that the breach will adversely affect the individual, the person must be notified immediately.
Notice to the HHS Secretary
In addition to notifying affected individuals and the media (where appropriate), Covered Entities must notify the HHS Secretary of breaches of unsecured PHI. Covered Entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.
Covered Entities that experience a breach affecting more than 500 clients or patients must notify the affected individuals and are required to provide notice to prominent media outlets serving that State or jurisdiction. This notification will likely be in the form of a press release to appropriate media outlets serving the affected area. The notification must be provided no later than 60 days following the discovery of the breach.
Business Associates/ BA Subcontractor
If a breach of unsecured PHI occurs at or by a Business Associate or Subcontractor, the Business Associate Subcontractor must notify the BA and the BA must notify the Covered Entity following the discovery of the breach, no later than 60 days from the discovery of the breach.
HIPAA Compliance Doesn’t End Here
Keeping your organization HIPAA compliant protects clients’ protected health information, as well as the integrity of your company. Keep in mind that the actions found here in this article shouldn’t be regarded as “one and done.” If you continually assess your HIPAA obligations and keep compliance a vital part of your organization’s mission, you’ll lessen the chance of a HIPAA breach and violation. Remember, your reputation is your most important commodity and a breach can ruin your company.