Securing Protected Health Information (PHI) is serious business. If your organization accesses, processes, or stores PHI, you’re subject to the Healthcare Insurance Portability and Accountability Act (HIPAA), in force since 1996. Code violations are met with high fines, criminal charges, civil suits, and, of course, customer defection. These consequences are the same whether the breach was the result of maliciousness, negligence or just unwitting mistakes. No business, no matter how big or small, can afford to be complacent.
It is your duty to fully understand and implement all of the requirements of HIPAA and to make sure your employees are informed and your data systems secure. You are responsible to the individuals that HIPAA is meant to protect, and TMPC will ensure that you understand what is required of you and that you meet those requirements effectively and efficiently.
TMPC’s strategies will help you communicate your policies to your team, monitor compliance, and run instant security reports, all while putting you in a better position to demonstrate your compliance to auditors, ensuring that your business can keep doing what it does best.
FREQUENTLY ASKED QUESTIONS
Under HIPAA, business associates are third party organizations that work with PHI on behalf of covered entities. This includes companies that offer billing support or provide software. To stay complaint a covered entity must obtain a Business Associate Agreement (BAA) before any PHI is shared with a business associate, and that agreement is a legal document that requires both parties to be HIPAA compliant.
Yes, and the Department of Health and Human Services has resources you can use to assess, implement, and monitor your compliance. That said, HIPAA is a complex law with many layers of requirements, both physical and technical, and most organizations choose to work with a third party, like TMPC, to help them protect their PHI security environment to avoid costly fines or even criminal charges.
POLICIES
Have clear policies in place for mitigation, to be renewed every year and updated as needed. TMPC can help you create clear and thorough policies that are easy to communicate and implement.
HIPAA COMPLIANCE OFFICER
Appoint a team member as your organization’s HIPAA Compliance Officer (HCO). This person will serve as your HIPAA expert for the whole organization, offering training and keeping up to date on technology compliance and revisions to the law, if they occur. We can help you get your HCO up to speed so they can keep your team informed.
RISK ASSESSMENT
HIPAA requires risk assessments annually to determine risks and identify vulnerabilities in your security environment. Then, you are required to address those weaknesses and gaps in a timely manner to stay compliant.
TRAINING
Support and ensure that your HCO offers annual HIPAA training for all staff, as well as regular training while onboarding new members. A HIPAA program is only effective if ALL stakeholders understand both its importance and how to comply.
MITIGATION
Even with the best strategies in place, breaches occur due to simple errors, hackers or, sometimes, sour employees. TMPC can help you develop clear remediation policies, to be renewed every year and updated as needed.
ASSESS THIRD PARTY COMPLIANCE
If working with business partners outside of your organization–individuals and companies alike–assess their HIPAA compliance standards annually. If you don’t, and they have a breach, then the reality is that you have a breach. Make sure your business associates know what they’re doing.
REPORTING BREACHES
The HIPAA Notification Rule requires you to notify the Department of Health and Human Services and patients when there is a breach of their PHI. Report breaches without delay and ensure that all team members understand the importance of reporting and how to do it.