When we schedule an appointment to go over HIPAA compliance with a new client, we are always asked, “Where do I even start?” by the owner or practice manager. Becoming HIPAA compliant is a complex proposition that takes time, knowledge, and persistence. There are many steps involved, but the first steps are always the same: appoint a Compliance Officer and perform a full Security and Privacy Risk Assessment.
Appointing a compliance officer should be the easier of those two steps. Pick a person who has enough time to dedicate to compliance. For a smaller practice, this might be a couple of hours per week. For a larger organization, you may need someone who devotes all of their time to compliance.
Choose a compliance officer who will care about compliance. It is their job to watch for violations throughout the organization. A complacent compliance officer will likely result in violations being overlooked or no action taken when violations are found.
Your compliance officer will need to learn the laws, prioritize compliance tasks, and be able to delegate certain tasks to the proper departments. Do not pick an employee who has trouble delegating these tasks. A compliance officer will generally be unable to complete all compliance tasks on their own.
After choosing a compliance officer, the next step is possibly the most important aspect of compliance: the full security and privacy risk assessment. This assessment will take at least a day or two to complete for a smaller practice and could take many days or weeks for larger organizations.
A risk assessment is a basically a full inventory of your technology, your privacy and security policies, and your employee training levels. You will start by documenting every piece of equipment that stores or has access to PHI (protected health information). You will then be tasked with deciding if PHI is adequately protected (according to the law) against unauthorized access. Unauthorized access includes access by employees who shouldn’t be accessing a particular record and non-employees who shouldn’t have access to any records.
Next, you will be reviewing company policies regarding patient privacy, and data security. If you do not have any policies in place, you will be writing those policies from scratch. If you have some policies, but are missing others, you will need to add the missing policies. For instance, if your organization doesn’t have a documented policy for handling suspected breaches, you will need to write one. Or if your organization doesn’t have a policy for employee passwords (how often they should be changed, two factor authorization for remote access, password sharing, etc) you will need these policies added to your employee handbook.
Now comes employee training documentation. You will need to find out the last time each employee was trained on HIPAA policies. If it’s been more than 12 months, that employee should be retrained immediately. All employees should be retrained every 12 months whether there have been changes to HIPAA policies or not.
After you finish this initial risk assessment, then you begin the task of remediating all of the gaps you found. If few gaps were found, this process can be quick. Maybe a few weeks. If you find that your organization is missing lots of documentation, policies, or proper security measures, the process of remediating these gaps can take months or years depending on the size of your organization.