HIPAA Compliance & Healthcare Cybersecurity Services

HIPAA requires that covered entities have written policies and procedures that address each aspect of the law. Some companies believe that a notice of privacy practices is sufficient to be compliant with this rule, but that is not true. The documents provided must be an accurate reflection of your privacy practices by giving the details of your day-to-day operations. As this is a legal document, this can be difficult for businesses that lack the in house legal expertise to prepare these documents. Since this is the first document most auditors will request when evaluating your compliance, you want to make sure it’s prepared properly.

Every organization must assign a HIPAA privacy officer and a compliance committee. The privacy officer is responsible for developing a HIPAA compliant privacy program and enforcing it to achieve compliance. This includes protecting the integrity of personal health information (PHI), employee privacy training, conducting risk assessments and developing HIPAA compliant procedures where necessary. In order to properly fulfill this role, the person will have to keep up-to-date with all relevant state and federal laws.

It’s imperative that your company trains employees on how to properly handle and protect PHI. Training must be provided to each member of the workforce within a reasonable period of time after the employee joins the covered entity. The training should also be tailored depending on the person’s role and occur “periodically” for current employees.

It’s important that your organization’s culture have a sense of openness around compliance issues. Employees should be able to report concerns about compliance/privacy issues without fear of retaliation. They should also be able to ask for clarification and have documentation available to them to ensure they are acting in accordance with the corporate policy.

The same way people should get regular checkups to make sure they are healthy, it’s important that your business has regular internal audits to make sure that everything is working as expected. This way you can be confident that you are HIPAA compliant and will pass an external audit. For this to be effective it’s important that your internal audits are closing following HIPAA requirements. It does you no good if you pass an internal audit but the criteria that was being used doesn’t reflect the requirements of the Office for Civil Rights (OCR).

You need to have a documented plan of how you will enforce your HIPAA compliance program. This includes notification of new policies, making documentation available to employees, employee training and disciplinary action when people do not comply with the directives laid out by management. It’s important to establish and publicize what actions will be taken when an employee doesn’t adhere to the compliance program. 

Responding to violations quickly is very important in being compliant and avoiding fines. Whenever a violation occurs, it should be reported to the appropriate channels, including but not limited to the privacy officer of the organization. You may be able to avoid penalties if you can correct a data breach within 30 days. Additionally, you are obligated to give notice of reportable breaches “without reasonable delay” but no later than 60 days after discovery. You also have an obligation to have a means for customers to file complaints and respond to complaints from your customers within 180 days of them filing a complaint.