5 Tips for HIPAA Compliance

Planet HIPAA had this great article that shared 5 tips to ensure an effective HIPAA program. The reality is that HIPAA is a pretty flexible program that in many cases is open to some interpretation by the medical practice. There are exceptions, but HIPAA is generally about reducing risk as opposed to strict compliance. That’s reflected in this list of 5 tips from Planet HIPAA:

1. Conduct a Risk Assessment/Analysis

2. Create, Review and/or Update all HIPAA policies and procedures

3. Provide Workforce HIPAA Education

4. Conduct regular HIPAA Audits

5. Use Security Technologies

Most of the items on the list aren’t rocket science. However, my guess is that most medical practices will go through this list and realize that they have work to do. Whether it’s not doing a HIPAA risk assessment regularly (yes, sadly this still happens), or whether it’s not documenting or training, most practices will have something they could improve when it comes to HIPAA compliance. How’s your practice doing? My guess is you know where you’re lacking.

My favorite tip on this list was to use security technologies. HIPAA has some really good elements that help a practice protect PHI, but HIPAA does not equal secure. There is plenty more that a medical practice needs to do to ensure that their practice is secure and protected against the malware, ransomware, viruses, and other online threats that exist and are bombarding their IT infrastructure from every angle. HIPAA is required by law, but security beyond HIPAA is required to avoid a cybersecurity disaster in your organization.

The sad reality for many small practices is that they aren’t keeping up with the HIPAA requirements. This was illustrated by this story from Dr. Jayne:

One of my friends admitted that she had her work laptop stolen and didn’t report it to anyone despite it containing protected health information. That sort of thing is one of the perks (or hazards, depending on how you look at it) of owning your own practice and not fully understanding the huge number of laws that impact our practices. At least she realized after attending the conference that she should have taken additional action.

Dr. Jayne described most small medical practices’ feelings perfectly when she said the “perks (or hazards, depending on how you look at it)” of owning your own practice. Ignorance is bliss until you’re stuck on the front page of the paper or in some lawsuit. I’ll never forget the doctor who told me “They won’t throw us all in jail.” Maybe not, but they won’t be afraid to send you all fines.

An ounce of prevention is worth a pound of cure. This seems quite appropriate when it comes to HIPAA and security in a medical practice.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

1 Comment

  • Yes these are all good tips. Tips 2 and 3 can be fulfilled using HIPAACow or other website that has updated documentation. There are many decks and videos out there. Tip #1, is something I do regularly. The risk assessment is carried out using a tool from CMS. The tool is only half of an assessment, the assessor must look at the security of the devices, network and software at the practice. Cloud-based (distributed computing infrastructure that houses data and software off-premises) is not a risk-free enterprise and must be documented regarding DR and security. BAAs and background checks must be carried out. Who pays for all this above and then add security technologies into the mix. How many practices do their own I.T.? How many doctors know what an IPS or IDS is? How many can afford them and how many can afford not to? The data is marketable, it’s stolen to SELL.

Click here to post a comment