Congratulations, your new medical practice will be opening soon!

Have you paused to consider what the road to HIPAA compliance will look like for your organization? How will your new business venture (and potential associates) handle sensitive, protected health information, and meet the regulations of the Healthcare Insurance Portability and Accountability Act (HIPAA)? These are key questions that will impact patient privacy and protection, not to mention your ability to practice – especially if an Office of Civil Rights (OCR) audit is in your future.

Thankfully, there are resources available to systematically prepare you for HIPAA, designed to walk you through each step of the process. You can check that out here. In the meantime, we think it’s important to at least provide a “lay of the land,” to help you start off on the right foot. Here are 8 key “signposts” to follow that will guide you on your way to meeting HIPAA regulations:

1. Before you start out, plan on hiring a dedicated, internal Compliance Officer/Security Manager.

Any journey into unknown territory goes better with an experienced guide. With that in mind, you’ll need a point person who will ensure that your organization is satisfying all regulations and that policies and procedures are up to date. This is the work of the compliance/security officer. Without him or her, maintaining compliance just won’t happen – trust us. And, HIPAA actually requires you to have one – whether an existing employee who will train for the role, or a new hire with expertise.

What functions will the Compliance officer handle? Here’s a summary:

  • Develop and maintain your HIPAA-compliant privacy program
  • Oversee the HIPAA training of your employees
  • Conduct a risk analysis, create HIPAA-compliant procedures where needed, and monitor compliance with the program
  • Investigate and report any data breach incidents as required
  • Ensure the protection of your patients’ rights in accordance with federal/state laws
  • Keep up-to-date with pertinent state and federal laws

2. Identify what data needs protection (Where is your ePHI?)

Traveling securely towards compliance means first investigating what is sensitive data, and then applying the best protection. Basically, you’ll want to know: Where is the ePHI in my organization? and Have I included all the ePHI that we create, receive, maintain or transmit, including our website and from external sources such as vendors?

3. Take stock of your risks (A HIPAA Risk Analysis should be performed).

As you think about mapping the terrain you’ll need to cover, you’ll see that taking stock of risk is crucial. Essentially, this involves finding the “potholes” and potentially dangerous sections of the road. Basically you are looking to answer, What are the human, natural, and environmental threats to information systems that contain electronically protected health information (e-PHI)? Understand that this is a question you’ll return to often, as threats can (and do) evolve quickly. You can’t relax on this one (or any steps for that matter), for if left unaddressed, these risks will actually leave the door open for malicious actors to exploit your ePHI. And while there isn’t one exact way to do a risk analysis, you can find some guidance here.

4. Journeying the path to HIPAA compliance means equipping those who travel with you.

You’ll soon discover, if you haven’t already, that HIPAA regulations are multi-faceted, and very much about trustworthy people doing the right thing – each in their own sphere. As mentioned, staff training (with refresher training annually) will be necessary to help your people understand HIPAA requirements about patient privacy, as well as their own responsibilities to work securely. This includes everyone from network engineers and system administrators to employees on your network who might be tempted by a phishing email or other kinds of social engineering. As someone has rightly said, “your security solution is only as good as the people you have maintaining it.”

5. Document all training and assessments, as well as emergency procedures and Rules for Breach Notifications

Should you ever be audited, it will be key to have all your training sessions and risk assessments documented. Again, the Compliance Officer should ensure that this happens. One piece of documentation you should be prepared to show is how you are prepared for an emergency situation. Basically, an auditor will want to know: In the event of a data breach, do you know the appropriate “first aid” to apply, in order to mitigate damages?

6. Control (and track) who accesses data

A key principle to control access to ePHI is that it should be as limited as possible, governed by application roles on a need-to-know basis. This is known as the ‘principle of least privileges’. Tamper-detection techniques can be employed to send alerts when code is being modified or changed, and log all changes. Finally, be aware of any dashboard access to PHI that might possibly be available to every user.

7. ePHI must be further protected by data encryption

Ensuring that any communications of PHI (email, SMS) via your application are encrypted, end-to-end, is not only required, but key to protecting sensitive data if it should fall into the wrong hands. Utilize the latest and most trusted encryption protocols, such as 256-bit AES. Further, all ePHI should be encrypted in storage (both production servers and local machines), as well as transmission, and all API keys should be kept secret and secure, with restrictions. Avoid embedding them directly in code; instead, store them outside of your application’s source tree.

8. Secure the disposal of ePHI as required

Finally, know when ePHI is no longer required and should be permanently destroyed. All ePHI paper records must be rendered unreadable, and digital devices must also be effectively erased. See How to Dispose of PHI Data.

As we’ve seen, walking the path toward HIPAA compliance involves following the signposts. What is key to know next is that once you’ve reached the destination of compliance, you aren’t done. Maintaining compliance is an ongoing process, requiring vigilance on the part of your team. Clear communication from your compliance manager is essential, especially when internal policies and procedures change or are reviewed with vendors or clients. And of course, the CEO should keep compliance objectives clearly in all planning objectives and operations.

HIPAA Vault’s Managed Services for HIPAA compliance include less-than-15 minute response times for critical alerts, and 90% first call resolution. Our dedicated IT professionals handle everything from general support questions and maintenance, to more complex issues such as advanced firewall configurations and system monitoring. In this way, we simplify your business while providing peace of mind.