As we have weathered the storm that is 2020, it’s been easy to sweep HIPAA requirements and other security measures under the rug. However, Q4 is here and it’s crucial that your medical practice meets these standards to avoid fines, security breaches, and damage to your reputation.
#1 Conduct Your Annual Risk Assessment
As a covered entity under HIPAA, you are required to conduct a Security Risk Assessment every year. Avoid some stress, and don’t push this off to December 31st.
The HIPAA Security Rule outlines three major areas that must be evaluated during your SRA: administrative, physical, and technical safeguards.
Administrative safeguards include training employees, establishing and updating policies and procedures, and designating a Privacy Officer to be responsible for HIPAA compliance within the organization.
Physical safeguards are those that limit entrance to facilities and protect devices storing Protected Health Information (PHI) from being accessed by unauthorized personnel. Make sure that your facility has a good security system in place, and that sensitive information isn’t stored on devices that can be accessed by anyone.
Finally, technical safeguards are those that keep electronic PHI secure, through technical processes such as data encryption, multi-factor authentication, and other cybersecurity systems.
A good SRA incorporates all three of these categories in one comprehensive analysis. Once the SRA has been completed, your organization should have a clear picture of where your security is strong, and where it is lacking, with specific next steps.
#2 Ensure You Have Updated “Bring Your Own Device” Policies
Allowing your employees to bring their own devices to work gives your organization more flexibility, but it also presents some serious security threats.
The best way to protect yourself and remain HIPAA compliant is to create and implement strict B.Y.O.D. policies.
These policies should include limitations on what types of devices are allowed in your facility, and should require that any device used to access PHI is encrypted. Also, it is critical that you have the ability to remotely wipe all data from the device in case it is ever lost or stolen.
Any other information, such as acceptable apps and softwares, and good password management procedures, should be included in your B.Y.O.D. policies to make them as effective as possible.
Once you have created these policies, you must train your employees on the processes you have outlined. Ensure they are familiar with all the information, and know how to access the policies in case they should have any related questions.
#3 Establish a Contingency Plan.
The worst time to plan for an emergency is when the emergency strikes. Many practices felt this when the pandemic initially hit, and if you weren’t prepared, it’s likely that you had to struggle to stay afloat.
There are four key elements of an emergency plan, to make sure your organization is prepared when the next disaster occurs.
1. A Security Risk Assessment
Again, conducting an SRA is the best way to find out where your practice stands and what security measures you need to be implementing or improving to protect yourself from a breach.
2. A Communication Plan
In case of an emergency, employees should know exactly who to be communicating with and how. This plan should prevent most of the chaos, and keep everyone in your organization on the same page.
3. Policies and Procedures
Just like any good policies, your emergency plans should be regularly reviewed and updated, and accessible from anywhere.
4. Training and Testing
Run an imaginary scenario with your team, and see if they know how to respond. Every employee should be comfortable with plans for evacuation, and continued operation under emergency circumstances.
By putting these three steps into practice, you will both strengthen your organization, and protect yourself from breaches, fines, and the stress and headaches that come from not knowing if you are sufficiently protected.
