Category: Office Managers

The First Steps to Becoming HIPAA Compliant

When we schedule an appointment to go over HIPAA compliance with a new client, we are always asked, “Where do I even start?” by the owner or practice manager. Becoming HIPAA compliant is a complex proposition that takes time, knowledge, and persistence. There are many steps involved, but the first steps are always the same: appoint a Compliance Officer and perform a full Security and Privacy Risk Assessment.

Appointing a compliance officer should be the easier of those two steps. Pick a person who has enough time to dedicate to compliance. For a smaller practice, this might be a couple of hours per week. For a larger organization, you may need someone who devotes all of their time to compliance.

Choose a compliance officer who will care about compliance. It is their job to watch for violations throughout the organization. A complacent compliance officer will likely result in violations being overlooked or no action taken when violations are found.

Your compliance officer will need to learn the laws, prioritize compliance tasks, and be able to delegate certain tasks to the proper departments. Do not pick an employee who has trouble delegating these tasks. A compliance officer will generally be unable to complete all compliance tasks on their own.

After choosing a compliance officer, the next step is possibly the most important aspect of compliance: the full security and privacy risk assessment. This assessment will take at least a day or two to complete for a smaller practice and could take many days or weeks for larger organizations.

A risk assessment is a basically a full inventory of your technology, your privacy and security policies, and your employee training levels. You will start by documenting every piece of equipment that stores or has access to PHI (protected health information). You will then be tasked with deciding if PHI is adequately protected (according to the law) against unauthorized access. Unauthorized access includes access by employees who shouldn’t be accessing a particular record and non-employees who shouldn’t have access to any records.

Next, you will be reviewing company policies regarding patient privacy, and data security. If you do not have any policies in place, you will be writing those policies from scratch. If you have some policies, but are missing others, you will need to add the missing policies. For instance, if your organization doesn’t have a documented policy for handling suspected breaches, you will need to write one. Or if your organization doesn’t have a policy for employee passwords (how often they should be changed, two factor authorization for remote access, password sharing, etc) you will need these policies added to your employee handbook.

Now comes employee training documentation. You will need to find out the last time each employee was trained on HIPAA policies. If it’s been more than 12 months, that employee should be retrained immediately. All employees should be retrained every 12 months whether there have been changes to HIPAA policies or not.

After you finish this initial risk assessment, then you begin the task of remediating all of the gaps you found. If few gaps were found, this process can be quick. Maybe a few weeks. If you find that your organization is missing lots of documentation, policies, or proper security measures, the process of remediating these gaps can take months or years depending on the size of your organization.

How to Prepare For HIPAA Breaches

There are many steps you can take to prepare your organization for a HIPAA breach. If you are proactive, you can mitigate the severity of a breach considerably. And if you have the right policies in place, you can save your practice from large fines and other financial costs. Lets go over the things your practice should do to prepare for a HIPAA breach.

Be Prepared

The first step to handling HIPAA breaches is preparation. Do you have a written policy outlining steps to follow if you suspect or know there is a breach? Your written policy should touch on everything else I will mention below. It should be fairly comprehensive including who is in charge of investigating the breach and how each step will be handled.

Train Your Staff

Writing a plan is not enough, your employees must be taught how to find and follow that plan. During your yearly HIPAA trainings you must review the steps an employee should take if they suspect or know about a breach.

Give Employees A Way To Anonymously Report Breaches

It’s the law that employees should not be afraid of retaliation for reporting a breach. To accomplish this, there must be a way for employees to report breaches anonymously if they feel that they would be retaliated against. You must teach them how to report a breach anonymously during their annual HIPAA trainings.

Teach Your Business Associates To Report Breaches Back To You

Make sure each outside company you do business with that has access to your patients’ data is aware that they must report suspected breaches to you. Make sure your Business Associate Agreements are updated to include who is responsible for contacting patients in the case of a breach. Generally you would want this responsibility to fall on the Business Associate if they cause the breach. This moves most of the liability and cost on to the Business Associate who causes a breach.

As Soon As A Breach Is Known About Or Suspected, Perform A Risk Assessment

After finding out about a breach situation, immediately begin an investigation. Perform a risk assessment to find out what was breached and if any Protected Health Information may have been stolen or lost. Find out what caused the breach so you can remediate any gaps you have in security or policies.

Notify All Affected Parties

You have 60 days from finding out about the breach to notify any patients whose data was breached. You will need to send notices by first class mail (or email if your patients have opted in to receive notices that way) to each patient affected. You will likely be required to provide credit monitoring to the affected patients. You must also notify the Office of Civil Rights about any breaches. If a breach affects fewer than 500 patients, you must notify the OCR within 60 days of the end of the calendar year in which the breach was discovered. If a breach affects 500 or more patients, you must notify the OCR within 60 days of discovery of the breach and you must contact the media and provide them with a press release. Contacting the media allows the affected patients to find out about the potential threat of identity theft more quickly.

Log Everything

If there is a breach. From day one, start logging everything: any discussions you have with employees, any information about the breach, whom you contact, what led to the breach, what you are doing to stop future breaches, etc. Log it all and keep it on hand for the OCR. They will want to see that you acted promptly and did what you could to protect your patients.

HIPAA Compliance for Dental Office Managers

J.J. Micro works with a variety of dental practices in the Saint Louis area. We offer a HIPAA compliance as a service package called PracticeProtect™ that brings practices into HIPAA compliance and provides the IT support that all 21st century practices are in need of.

When we first started working with dental practices, we focused all of our HIPAA compliance remediation on the technology side of the business. We were mostly concerned with preventing breaches caused by improper security protocols, lack of encryption, and unsecured networks. But as we started becoming HIPAA certified ourselves, we realized that we were missing about half of the HIPAA compliance equation: the administrative side of HIPAA.

While performing internal HIPAA audits for our clients, we have found that many practices are missing some of the most basic requirements of HIPAA. Things like simple documentation, annual employee HIPAA trainings and refreshers, and many practices even lack a designated HIPAA compliance officer. This led us to design PracticeProtect™ around these failures so that we could offer a solution that automates many of these requirements so doctors and practice managers can focus on providing the best care for their patients.

The purpose of this article is to go over some of the most commonly missed items so that as a practice manager, you can know whether you are HIPAA compliant or not. With the OCR scheduling surprise audits starting in 2016, all covered entities (like dental practices) are at risk of hefty fines if they can’t prove they are HIPAA compliant. Let’s go over some of these commonly missed compliance gaps so that you can work on a plan to become compliant yourself.

HIPAA Documentation Binders

The most commonly missed and arguably most important item to have in an audit is documentation. If an auditor calls, emails, or shows up at your office, the first thing they will ask you for is your HIPAA binder. They will want to see that you are documenting everything from your privacy statement for patients to your record of when each employee last took their HIPAA refresher training. If you don’t already have a HIPAA binder, you should start one today. If an OCR auditor asks you for your HIPAA binder and you don’t have one, they are much more likely to do a full audit and start handing out fines. A thorough HIPAA binder will likely be about 25 to 75 pages and will be updated regularly.

Annual HIPAA Training for your Employees

Many practices do take the time to do occasional HIPAA trainings for their employees. However, we find that it’s not unusual for there to be long lapses in between trainings. HIPAA compliance laws require regular documented training of existing employees and initial training for any new employee. Most experts agree that even though there is no set time limit for regular training intervals, one year between each training should be the maximum. In addition to ensuring these trainings take place, you will need a signed document from each employee each time they take the training so that you can prove to an auditor that each employee understands what is required of them in regards to HIPAA compliance.

BAAs (Business Associate Agreements)

If you do business with any outside vendor that comes into contact or potentially comes into contact with PHI (protected health information), you will need a BAA signed and on file with each vendor. A BAA holds vendors accountable to properly handling your PHI to prevent breaches or losses. Examples of vendors that would require a BAA are IT service providers, insurance billing providers, document shredding handlers, contractors, accounting services, outside janitorial crews, online data backup services, cloud server providers, and email encryption services. Every BAA should be on file in your HIPAA binder and will need to be reviewed annually to ensure that new HIPAA laws aren’t being ignored.

Designated HIPAA Compliance Officer

HIPAA standards require that your practice nominate a HIPAA compliance officer. It is this person’s duty to ensure that the practice is following HIPAA compliance laws in all areas. This person will keep the HIPAA binder up to date, ensure employees are taking their trainings, and be a general watchdog to ensure that employees are handling PHI with care. Most commonly this responsibility falls on the practice manager. If the OCR contacts your practice about a HIPAA audit, lack of a HIPAA compliance officer will be a big red flag.

Regular HIPAA Security Reviews

HIPAA laws require that your practice regularly perform a self audit to address any new gaps that may have opened regarding your HIPAA compliance. Again, most experts agree that regularly in this case refers to yearly. In addition to doing a full internal HIPAA audit yearly, you must document your findings and document any remediation steps you took. This should all be in your HIPAA binder. If the OCR asks for your HIPAA documentation and doesn’t find any information about an internal audit in the last 12 months, that is another big red flag.

Record Retention and Disaster Recovery Plan

An important and often overlooked aspect of HIPAA compliance is record retention and disaster recovery. The state of Missouri requires your practice to keep patient medical records on file for 7 years. If you were to lose any of those medical records during that 7 year period, it would be considered a breach and you would be subject to fines of up to $50,000 per record lost. For this reason, it’s important to have a good backup plan and a documented disaster recovery plan. Do you have a document that outlines what exactly will take place if your building was lost in a flood, tornado, or fire? An auditor from the OCR will want to see that you have a documented step-by-step plan to recover all patient records from an off-site backup.

PracticeProtect™

Time and time again we have found that doctors, dentists, practice managers, and other staff just don’t have enough hours in the day to stay focused on HIPAA compliance. With PracticeProtect™ we automate as many of the steps as we can. You will still need to understand HIPAA compliance and follow security standards to ensure PHI is safe. But employee training, writing BAAs and reviewing them annually, designing privacy forms for your patients, sending patient records over the internet using encryption, performing security audits, and all of the hundreds of other small details will be available to you in a simple and easy to use web platform. J.J. Micro will design a customized compliance plan for your practice and help you follow that plan to maintain compliance. With PracticeProtect™ you can know that even when a new HIPAA law is passed or when HIPAA rules are changed, your plan will be updated accordingly. You will no longer have to worry about a surprise HIPAA audit. When they ask for your HIPAA binder you can hand it to them and smile knowing there won’t be any issues.

Give J.J. Micro a call today at 636-556-0009 to schedule your free, no strings attached, HIPAA compliance check. We can help you decide if you are compliant or if you need PracticeProtect™.

Click here to learn more about PracticeProtect™.