Back

Healthcare  Process Improvement

Modernizing your HIPAA compliance program

01/31/2023

by Chris Scoggins

HIPAA compliance programs can be tricky for providers and covered entities, regardless of size. I discovered this first-hand late last year when my wife called to set up her own appointment with a provider I also visited. As soon as my wife gave her information, the assistant on the other end of the line recognized our shared last name and proceeded to discuss my scheduled appointments with her.

Intentional or not, this provider just committed a HIPAA violation, as my wife was not on my Protected Health Information (PHI) disclosure list. While there was no real damage done, such incidents serve as a cautionary tale for how easy it is for breaches to occur. This incident also introduces a larger question: How do covered entities create an effective HIPAA compliance program, despite a growing market for PHI and increasing security challenges in an ever-changing healthcare landscape? To answer this, first, we need to understand the risk.

Understanding your risk for HIPPA violations in the information

If you’re a provider or covered entity placing their HIPAA compliance on the back burner, you aren’t alone. As of November 2022, HHS noted 68% of their investigated complaints found HIPAA-required entities that were not HIPAA compliant. While the penalties for noncompliance vary depending on a number of factors, the potential risk for violations has grown with a burgeoning information market for PHI. 2021 was a record year in HIPAA violations nationwide due to multiple risk factors, including:

1. The adoption of remote work and telehealth. As remote work has flourished, so too has access to PHI shared across unsecured networks or with third parties. Team members working from home often lack the physical and digital safeguards of offices. Meanwhile, telehealth provides more avenues for information to be stolen electronically.

2. The rise in patient demands for PHI. Patients are demanding greater access to their health data. What used to require a phone call or in-office visit can now, largely, be shared digitally. With this change, opportunities for potential violations have increased.

3. The failure to establish compliance agreements with businesses associates. Not all covered entities are providers, but everyone who has access to PHI is required to keep it safe. Often, business associates that partner with providers or institutions have access to PHI, but the business agreement itself isn’t HIPAA compliant. If one of these business associates suffers a breach, the provider or partner institution is liable.

4. The incentive for bad actors to intercept PHI. Individual healthcare records are now worth hundreds of dollars on the dark web. This has created a powerful incentive for hackers to secure this data. This contributes to a growing number of cybersecurity threats, including ransomware attacks.

Building the frameowrk for your HIPPA compliance program 

Generally, there are three key areas behind HIPAA compliance:

• Administrative Policy & Procedural Safeguards: This includes policies procedures, training, and a dedicated compliance department to ensure that all team members are following HIPAA compliance practices.
  
• Physical Safeguards: This includes protection against physical PHI breaches, such as the theft of hardware or files.
  
• Technical Safeguards: This includes digital safeguards, such as the encryption of electronic PHI.

While the need for a three-pronged approach is warranted, for this blog we will focus on what is, surprisingly, the largest soft spot for HIPAA violations across covered entities: making the organizational shift to robust administrative and procedural safeguards.

Making your organization shift to HIPPA compliance 

1. Establish a HIPAA champion. For most organizations, this individual is the compliance or privacy officer who supervises and enforces the HIPAA policy and training. Larger organizations may have significant staff and resources devoted to this role, while smaller entities may simply assign this role part-time to a team member. Regardless of the number of people involved, establishing this champion, or these champions, is a crucial first step to ensuring entity-wide compliance.

2. Develop policies and risk assessment practices in accordance with OCR and HHS guidelines. Regular assessments are a part of all three fronts of HIPAA compliance, but risk assessments related to administrative safeguards involve auditing an entity’s security management process for PHI, access protocols for information management, and workforce training. Once policies and procedures are in place, it’s time to establish a plan to roll out and train your team members and determine a schedule for regular audits and assessments.

3. Train your workforce. Now that policies and procedures are in place, it’s time to create a training plan. The effectiveness of these training plans relies on your compliance officer’s or department’s commitment to remaining current on HIPAA regulations. Some entities make the mistake of conducting HIPAA compliance training once a year, or only as a part of onboarding. While we encourage you to conduct initial training of your policies and procedures as a part of the onboarding process, regular training and reminders will ensure that HIPAA stays top-of-mind for everyone at the organization.

4. Create a maintenance plan for ongoing training and education. HIPAA compliance and the threats it faces are constantly evolving, so your approach must evolve as well. We’ve already discussed the importance of regular audits, which are a part of any maintenance plan, but regular training is just as important. Often, annual training is not enough; quarterly training about the responsibilities of individual team members and their role in potential violations is crucial. Think we’re overstating the issue? Investigations into compliance found that less than 78% of employees for covered entities have a basic understanding of privacy and security laws related to PHI and HIPAA. Your training should cover a plan to address access controls, security risks, and anything your compliance officer defines as crucial. Ongoing maintenance should include regular tests for employee compliance as a part of an audit. Offering incentives for compliance training is just one way in which you can ensure your long-term training protects against breaches made by your personnel.

---

Need guidance charting your path to compliance? We can help. 

Whether you are an established covered entity, or a small provider office new to navigating the ins and outs of HIPAA compliance, Sendero can equip you with the tools to face the challenge head-on. Fill out the form below to connect to a consultant and start the conversation about PHI security in your organization.

---