It’s been almost 25 years since the Health Insurance Portability and Accountability Act (HIPAA) came into force, but many healthcare providers and business associates are still having a hard time keeping track of the requirements. The fact that most medical records now exist in digital form makes matters even harder since tech today looks very different now compared to how it did in 1996.
What are the safeguards you’re required to put in place?
Every organization working in the healthcare sector, including those that handle patient health information (PHI) on behalf of covered entities, needs to pay close attention to three key areas and conduct yearly audits to ensure that their privacy and security controls are up to scratch. HIPAA enforcement is at an all-time high, as are the risks of data breaches. Implementing suitable safeguards that can keep up with new and emerging threats is critical for success.
Self-audit for success
HIPAA requires covered entities (i.e., healthcare providers) to carry out six annual self-audits, while business associates have to complete five. These audits must be fully documented to demonstrate your organization’s efforts to achieve and maintain compliance. The self-audits include:
- Security risk assessments for determining and mitigating potential security risks
- Security standards audits for reviewing internal standards in accordance with HIPAA
- HITECH subtitle D audits for ensuring breach notification requirements are met
- Asset audits for providing visibility into all devices used to store or access PHI
- Physical site audits for measuring the capabilities of your site’s physical safeguards
- Privacy assessments, which only apply to covered entities rather than associates
Vet your business associates
Today’s increasingly complex supply chains often mean that the weakest link in privacy and security exists in a third party. Before you share any PHI with third parties such as IT vendors, you need to ensure the necessary business associate agreements are in place. To streamline onboarding and management across your supply chain, you should also have a unified and consistent process that involves asking the right questions to determine the level of risk that each third-party relationship presents.
Develop an incident response plan
HIPAA requires that all covered entities and business associates have a documented incident response plan, which includes breach notifications in the event of a security incident. This will help detect and mitigate the effects of a data breach, greatly reducing risk to your organization.
The HITECH Act, which serves to supplement HIPAA legislation, requires organizations to disclose incidents to patients within 60 calendar days of the breach being detected. In case of an incident that potentially involves records belonging to more than 500 patients, the media and the Secretary of Health and Human Services must be notified.
Intouch IT is a fully HIPAA-compliant technology provider that specializes in helping healthcare providers achieve more with a secure and managed IT environment. Call us today to find out more.