According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form.
HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.
* Self-Audits – HIPAA requires covered entities and business associates to conduct annual Security Risk Assessment of your business to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
* Remediation Plans – Under HIPAA, a Security Risk Assessment is not enough to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year. Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
* Policies, Procedures, Employee Training – Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
* Documentation – HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.
* Business Associate Management – Covered entities and business associates alike must document all vendors with whom they share PHI in any way and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.
* Incident Management – If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule.
Note: There is no HIPAA requirement that an independent audit be performed. There is also no such thing as a HIPAA certification. As a result, any entity can self-audit against the HIPAA requirements.
Zartech's solution, Cyberator helps you identify which HIPAA requirements apply to your organization and guides you through HIPAA compliance. Within a short period, Cyberator can help you conduct a self-assessment and provide you with a remediation plan to address all the gaps. Our security advisor will also guide you along the way.