A comprehensive HIPAA assessment will almost always find problem areas and vulnerabilities that might affect your HIPAA security compliance. If you work with an experienced healthcare IT service provider, once they've completed an assessment, they should provide you with a detailed results report. This report will flag risks and identify any policies, processes, or workflows that should be revised.
The good news is that once you know the areas you need to address, you can either fix them or set up processes to monitor them until you are able to adequately address them. This will help keep your healthcare organization HIPAA compliant and better protect your patients' data.
In this blog, we'll break down the five key steps that your healthcare organization should take after receiving your HIPAA assessment results.
1. Consult with your HIPAA assessment provider
It is highly advisable for healthcare providers to work with a third-party, HIPAA security compliance expert for regular risk assessments. A third-party provider brings an objective and expert perspective and is thus more likely to spot blind spots or deficient processes that your in-house IT team might miss if it were to perform the assessment.
In addition, a HIPAA compliance risk assessor will usually offer a consultation after it delivers your report. This gives you the ideal opportunity to ask questions; check your understanding of issues flagged and the risks involved; learn simple, cost-effective solutions; and discuss how to implement next steps to help mitigate the risks.
2. Put your remediation plan into action and document your progress
Your HIPAA assessment is only useful if you take action to address identified risks. If you do not act on the recommendations included in your report, you could be putting your patients' protected health information (PHI) and your organization's financial data at risk. In fact, failure to take adequate steps to help prevent HIPAA breaches could even be considered willful neglect, likely leading to a civil penalty or even worse. For instance, the Texas Health and Human Services Commission was fined $1.6 million for their failure to protect patient data or adequately assess and respond to a potential cybersecurity vulnerability.
You not only need to start taking action to address and reduce risks and vulnerabilities, but you should also document every step that you take when implementing your action plan, including progress reports and milestones. HIPAA security compliance requires that you conduct regular assessments, document any potential risks, and demonstrate your response. You will need to provide this documentation if your organization undergoes a HIPAA audit.
3. Plan and schedule staff training and education
After undergoing your HIPAA assessment, you will have a better idea of your organization's weak spots. As with most security failings, the most likely cause of a data breach is human error. Therefore, you should schedule regular staff training to review best practices and requirements and to review any mistakes made in the past are not repeated. Again, your HIPAA security compliance consultant may also be able to advise you on a suitable training and education plan.
Everyone in your healthcare organization that works with confidential patient information should receive regular training and refresher courses on HIPAA security compliance. This can include everyone from doctors and nurses to IT staff, administrative staff, and front desk personnel. The appropriate training will depend on the technology you use, the kinds of information you are working with, and the specific needs of your organization, but should usually cover at least the following:
- What information is protected under HIPAA regulations
- Why it is protected
- Correct ways of handling information
- Instructions on the compliant use of IT systems, computers, and other data storage systems, especially any new tools or workflows
HIPAA training is mandatory for compliance and must be repeated "periodically," according to federal guidelines. It is therefore very important that you follow up on your HIPAA assessment with staff training and make sure that you carefully document all education events and staff attendance at them.
4. Perform due diligence on business associates
After you've received your HIPAA assessment results, you should also take steps to make sure that not only your organization but also your business associates are working to maintain HIPAA compliance.
A business associate, under HIPAA guidelines, is defined as "… a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." In other words, any organization with which you share patient information is likely considered a business associate. This would include, for example, a revenue cycle management company, transcription service provider, accounting firm, and managed services provider.
All your business associates must sign and comply with a business associate agreement. They should complete and document their own HIPAA assessments and address any potential risks. Finally, they should also be aware of the correct way to notify you of a data breach and what steps they should take in the event of a breach.
5. Monitor and document your progress, and repeat the assessment as often as necessary
HIPAA compliance is not a one-time process. Rather, it should be an ongoing and continuous effort to handle your patients' confidential information with the utmost diligence and safety. To remain compliant, your healthcare organization will need to carefully document and implement a plan of action to address risks and vulnerabilities flagged in your HIPAA assessment. You will also need to build systems to best ensure that you constantly monitor your progress toward resolving or reducing any identified risks. You should plan to repeat your assessment every time you introduce a new IT system or way of managing patient data or have experienced significant turnover or a change of ownership. In addition, you should schedule a regular HIPAA assessment every year or you will risk breaching HIPAA security compliance guidelines.
Maximizing the Benefits of a HIPAA Assessment
HIPAA security risk assessments are vital to maintaining HIPAA compliance, but your assessment will only protect your patients' data and your healthcare organization if you take steps to put it into action. At Medicus IT, we specialize in delivering systems and solutions that keep healthcare providers compliant and efficient, including conducting comprehensive HIPAA risk assessments. To learn more about what you need to review in your HIPAA security risk assessment, download a complimentary copy of our Security Risk Assessment Checklist.