HIPAA Compliance is a journey, not a destination. The Health Insurance Portability and Accountability Act (HIPAA) regulation is prescriptive, not descriptive; it tells covered entities and other healthcare organizations “What to do”, not “How to do it”.
The US Department of Health and Human Services purposefully did not establish national standards for safeguarding health information. Neither did they state what would absolve covered entities of any risk. In their own words, “What is appropriate … will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”
How to become HIPAA Certified – DON’T BOTHER
This cannot be stressed enough. HHS does not recognize private organization’s “certifications” regarding the HIPAA Security Rule or HIPAA Privacy Rule.
Such a certificate is not worth the paper it’s printed on. Don’t become HIPAA Certified. (HITRUST Certification is another matter entirely). Read further to learn how to become HIPAA Compliant
Seven Steps to become HIPAA Compliant
While there are many ways to become HIPAA Compliant, here is a reasonable and appropriate path that has worked for many healthcare organizations. The question “How do I become HIPAA Compliant” will have different answers at each organization, but all will have these steps in common:
- Establish a HIPAA compliance program: HIPAA Compliance is not a one-time task. It will never be “Done”. It’s a part of doing business in healthcare, and must be approached as such. To set up a program, you need to appoint a HIPAA Officer and identify members of a HIPAA Governing Committee, to oversee the program.
Designate a single repository for documentation about HIPAA, and make sure that all employees can reach it. Set up an email address to reach the HIPAA Officer, such as firstname.lastname@example.org .
Lastly, establish a budget for the HIPAA program. This does not necessarily need to be money, but the HIPAA Officer should be allowed/expected to spend a portion of their time on HIPAA matters. This could be half a day per week at a smaller organization and a full-time job at larger ones.
- Inventory all your protected health information (PHI): HIPAA applies to protected health information, sometimes erroneously called “patient health information”. HHS has a definition of PHI on their website. PHI is most typically held in applications such as an EHR, but it can also be held in file shares and as Office documents on desktops and laptops. The inventory should include both the software (what application) and the hardware (what system) that contains PHI.
- Identify all external organizations that have your PHI: These days, PHI is often held outside of an organization’s own systems. Google Drive and Amazon Web Services, and cloud hosted services such as athenahealth, are examples of external organizations called “Business Associates” that store and process health information for others. These organizations should be included in your Inventory.
- Document policies and procedures: Ideally, you already have most of HIPAA-required policies and procedures in place, such as a password policy and a procedure to grant and remove access. If not, or if you’re not sure what policies and procedures you should have, read our article on what policies you will need and start writing. These policies should be approved by the Governing Committee and published in the repository you set up in Step #1.
- Conduct risk assessments, at least annually: You do not become HIPAA compliant by checking enough boxes. As mentioned above, the safeguards must be reasonable and appropriate, and what is reasonable and appropriate depends on your business, size, and resources.You determine what is “reasonable and appropriate” for you by conducting a risk assessment. HHS has published some guidance on risk assessments, as has NIST. At a minimum, the risk assessment should cover all of your PHI, include the threats and vulnerabilities to that PHI, and estimate the likelihood and impact of those threats, taking your current controls into account.
Once you’ve analyzed the risks, you should choose what to do about the highest, and have your Governing Committee accept the rest. You aren’t required to fix everything; some risks, particularly low ones, can be accepted.
- Perform HIPAA training for your staff: Employees should be trained upon joining the organization, and annually thereafter. There are companies who deliver this training on-line, such as KnowBe4, but the most effective training is customized for your organization with specific examples that people will encounter in their daily work. It’s the difference between “Dispose of disks properly” and “Jim will take your old computer and safely destroy the drive when it reaches 4 years old”. The former is bland and easily forgotten, the latter is tangible and more memorable.
- Audit yourself and make improvements as needed: As mentioned above, HIPAA compliance is a program, not a project. At least annually, prepare a report to your Governing Committee on how your organization is complying with its own policies, and the progress you’re making on managing/lowering the risks you’ve identified.
How do you become HIPAA compliant?
The short answer is “step-by-step, over a period of time”. It’s not something that can be done in a week, nor is it something that can be done once and left behind. Much like getting in shape, you become HIPAA compliant by having a solid program and working on it over time.