5 HIPAA Resolutions for the New Year
2017 has been another busy year for HIPAA breach investigations, which cost the industry over $19 million in fines paid to the government. Unless radical changes are made across the healthcare industry in the next few months, then the outlook for 2018 doesn’t appear to be much better. In preparation for the year ahead, here are five resolutions HIPAA covered entities should be looking to implement.
1) Conduct a risk assessment
The HIPAA Security Rule states that covered entities must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, and availability of any electronic protected health information (ePHI) held by the organization. In the event of a data breach, failure to provide evidence of an up-to-date risk analysis can lead to substantial penalties. The new year is the ideal time to revisit the company risk assessment and ensure it is updated to account for any potential risks that could affect the organization in the future.
2) Have a response plan in place
A risk analysis serves only to identify any compliance issues that need to be addressed. Once these issues have been highlighted, organizations must develop a methodology for how they will respond to those risks through means of a risk management response plan. This will enable quicker recovery and minimal downtime from any issues that may arise. The number of breaches experienced by the healthcare industry is showing no signs of slowing down so organizations should spend some time reviewing and updating their response plans sooner rather than later.
3) Review Business Associate Agreements (BAAs)
Covered Entities should take the time in 2018 to review each of their vendor partnerships and ensure that signed Business Associate Agreements (BAA) are in place with all vendors that come into contact with ePHI. These agreements should be organized into an inventory and reviewed regularly in the months ahead to ensure they are in force at all times.
4) Update policies
HIPAA rules require covered entities to develop and maintain written policies that implement the Privacy, Security, and Breach Notification Rule requirements. Moving forward into the new year, it is essential that organizations ensure their policies and procedures are in check, and up to date with security and privacy best practices.
5) Develop a culture of compliance
Policies and procedures for HIPAA compliance are essential for establishing a framework of rules and expectations, but they will count for nothing if employees are not following them. Make it a resolution in 2018 to refresh the company’s knowledge and understanding of HIPAA compliance and kick it up a notch by carrying out regular training sessions.
These resolutions will serve as a starting point to ensure covered entities set the new year off on the right foot with their HIPAA compliance, but as with any resolution, it’s essential to ensure that efforts remain consistently high all the year through.