Developing a HIPAA Compliance Program
The Department of Health and Human Services requires healthcare organizations, including behavioral health providers, to implement a HIPAA compliance program to ensure protected health information privacy and security. An effective HIPAA compliance program consists of self-audits, gap identification and remediation, policies and procedures, employee training, business associate management, and incident response.
- Self-audits. Behavioral health providers are required to conduct six self-audits annually. These audits include IT Risk Analysis Questionnaire, Security Standards, HITECH Subtitle D, Asset and Device, Physical Site, and Privacy Assessment. The purpose of conducting self-audits is to measure current privacy, security, and breach notification practices against HIPAA standards.
- Gap identification and remediation. Through the completion of self-audits, gaps in current practices are identified. These gaps, also known as risks and vulnerabilities, must be addressed with remediation plans. Remediation plans should be specific and include how deficiencies will be addressed and timelines for remediation.
- Policies and procedures. Policies and procedures create guidelines for the proper uses and disclosures of PHI, how PHI is protected, and how and when to report a PHI breach. Policies and procedures must be customized for each organization to account for nuances in the way the business operates. They must also be reviewed annually and adjusted should there be any changes to business operations.
- Employee training. To ensure that employees are aware of HIPAA requirements and their organization’s policies and procedures, they must be trained annually. Effective training enables employees to ask questions when they don’t understand the training material and legally attest that they agree to abide by the training when they do understand it.
- Business associate management. The HHS requires behavioral health providers to assess their business associates’ HIPAA compliance before contracting them. This can be done by sending them a vendor questionnaire, similar to self-audits. The business associate must agree to remediate their deficiencies before working with them. Additionally, it is required to have a signed business associate agreement with each business associate before sharing PHI with them. A business associate agreement is a legal document that requires each signing party to be HIPAA compliant and maintain their compliance.
- Incident management. Any breach that affects the privacy or security of PHI must be reported. This includes unauthorized use or disclosure of PHI, hacking incidents, loss or theft of paper records, and loss or theft of unencrypted devices containing PHI. TBHI also discussed 8 common HIPAA violations that increase legal risk in previous blogs. Breaches affecting less than 500 patients must be reported to the HHS’ Office for Civil Rights (OCR) and affected patients. Breaches affecting 500 or more patients must be reported to HHS’ OCR, affected patients, and local media outlets.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance, with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!