A Month-By-Month HIPAA Compliance Guide
In this plan, you’ll see an emphasis on two words: documentation and training. Here’s why: documentation and training are the two most important pieces of the entire the Health Insurance Portability and Accountability Act (HIPAA) compliance process. Documentation helps you understand what has been done, what still needs to be done, and where the problems are. Documentation is also your proof in the case of compromise or investigation. Employee training is what keeps your organization compromise-free.
Both documentation and training should never be piled into just one day, or one month. If you only train employees once a year, you’re doing it wrong. If you try to document your entire HIPAA compliance plan in December every year, you’re doing it wrong. Documentation and training should be an ongoing part of your plan.
Even though 80% of healthcare entities believe their organization is fully HIPAA compliant, many are actually missing key compliance elements within the HIPAA Security Rule.
UNDERSTAND YOUR ORGANIZATION
Before you start anything else on your HIPAA timeline, the first thing you must do is find where your protected health information (PHI) is located.
Why? Only by finding PHI, will you know how to protect it. This is the first step to creating that very important HIPAA risk analysis required by the Department of Health and Human Services (HHS). To find your data, you have to learn every single process it goes through, every computer it sits on, every person who touches it, and every technology that has access to it.
YOUR JOB THIS MONTH? BECOME THE EXPERT ON ALL THINGS PHI.
The people on the ground handling this data on a daily basis will give you the most accurate look into the different data lifecycles in your organization. Start your new year by interviewing every department that touches PHI in any way, including third parties. Talk to different people within each department. They can uncover processes and technologies that no organization chart, tool, or previous data analysis could expose.
By the time you’re done with your extensive interview process, here are some things you should be able to identify:
- How data enters your environment
- Where it goes after entering the environment
- Where it’s stored
- If it’s sent off to a third party
- If it’s printed and stored
- If it’s recorded straight into the electronic health record (EHR) system
- Workforce members who can extract PHI from the EHR system
- How employees store PHI after they download it from the EHR system
- If it’s encrypted
It doesn’t matter what healthcare organization you work for; you will discover hundreds of data paths.
Throughout the month, ensure you understand how technology and personnel affect PHI. Record every computer, medical device connected to the Internet, office computer workstation, doctor tablet, and employee BYOD smartphone.
Document what you’ve learned; be as detailed as possible. Draw pictures, make lists, and record the who, what, when, where, how, and why. Documentation should rule your world for three main reasons:
- Your future. If you document, you’re making next year’s job that much easier.
- Your legacy. Documentation will give future successors a great view into the environment.
- The HHS. If the HHS comes knocking, documentation is your get-out-of-jail-free card. If you can show them how you’re working toward full HIPAA compliance, they’ll be much more lenient.
CREATE AND DOCUMENT A FLOW CHART
What have you learned in the past month? To process the information you learned and organize it in a way that will make sense in the future, craft a PHI flow chart.
A PHI flow chart is a graphical representation of where PHI comes into your organization, where it hangs out, who can access it, and where it leaves the organization. Most flow charts look like the typical box and arrow format, but feel free to get creative.
Flow charts are often massive. Healthcare is probably the most interconnected industry in the world.
Patients fill out forms at hospitals, which pass patient records to doctors’ offices, which then transfer medical records to pharmacies. Patients add sensitive information to third party patient portals online, which then email a dentist receptionist, who then prints and stores it in a giant file cabinet.
This interconnectedness is great for patients but an absolute nightmare for security. Generally, the more places that have access to patient information, the higher the chances for a HIPAA compromise or data breach. And that’s why PHI flow charts are so important. They document every instance within your own environment where PHI could enter, exist, or exit. This flow chart will assist you during the rest of this year’s HIPAA compliance plan.
START REGULAR EMPLOYEE TRAINING
Now that you’ve got the patient data location part under your belt, it’s time to take a quick break and organize your plan for employee training.
Your employees are the lifeblood of your organization. They can also be a security risk. Most HIPAA breaches and security issues within healthcare originate at an employee level. That’s why annual or even quarterly trainings aren’t enough.
Make a plan for how often you’ll train employees and which methods you use. Each organization will run employee trainings differently depending on their workforce, but here are some questions to ask during your planning phase:
- Will each department lecture their employees every two weeks on a certain topic?
- Will each employee be required to take an online training course each month?
- Who will be in charge of ensuring employees complete trainings?
- Will you send out data security emails to supplement trainings?
- Will you require all new hires to pass a test before employment?
- What punishments will exist for employees who refuse to attend training?
- Will you require employees’ signatures for training sessions?
- Will you provide incentives to those with the highest scores or who have completed training?
Documentation is a very important part of employee training. If the HHS comes knocking, you should be able to tell them the date each workforce member last underwent training, what that training was about, what past training they’ve had, and the next time they’ll undergo training.
TEST YOUR EMPLOYEES
The best way to analyze the effectiveness of your security training program is through employee testing. When incidents happen, how will employees respond? Was last month’s training effective?
This idea of testing employees is becoming very popular in the healthcare sector. Here are two common ways you can test employees:
Social engineering: Hire an ethical social engineer to see if employees will question or report someone who doesn’t belong in their work environment. Have the social engineer dress in a maintenance uniform, walk into a secured area, and attempt to steal PHI. What do your employees do?
Phishing: Send staff a fake phishing email (created by your IT team), and track the number of opens to see how many fall for it. In recent SecurityMetrics forensic investigations, 17% of organizations were breached through phishing emails.
After analyzing the experiments’ results, make a plan for the future. How will you adjust trainings going forward to ensure employees understand what to do in these situations? As always, don’t forget to document how tests were conducted, who participated, the results, and your future plans to mitigate these failures.
The results from your tests will also give you some great statistics to present to a budget-conscious board of directors who need a little nudging when it comes to security.
LOCATE PROBLEM AREAS
With your intimate knowledge of systems, technologies, and processes (from January and February), locate the risks, threats, and vulnerabilities that currently exist in your organization.
- What vulnerabilities exist in your systems, applications, processes,
- What threats (internal, external, environmental, and physical) exist for each of those vulnerabilities?
- What is the probability of each threat triggering a specific vulnerability?
Even if you created a comprehensive PHI flow chart and feel you understand exactly what’s going on at your organization, you probably need someone well-versed in IT data security and HIPAA compliance to help you analyze your vulnerabilities.
A major component of the required Risk Analysis is to locate where your organization’s security fails.
By examining vulnerabilities, threats, and risks, you’ll be able to narrow down which problems must be addressed right away.
- Do you use the cloud? What are the
- How are physical copies of PHI stored?
- Is encryption implemented throughout the entire organization?
- Do third parties use multi-factor authentication when using remote access into your environment?
- When employees leave workstations, do they turn on a password-protected screensaver?
Capture each vulnerability, and record its potential impact, risk level, and when you found it.
Do yourself a favor and run vulnerability scans to identify more weaknesses in your organization’s network and systems, or contract with ethical hackers to conduct a penetration test to see where holes exist in your environment.
If you’ve documented everything up until this point, you’ve created your HIPAA risk analysis.
CREATE A RISK MANAGEMENT PLAN
Now that you’ve created a giant list of problems, you’ve got to plan out how you’ll deal with them. Spend June crafting a thorough risk management plan. Your plan should document:
- Each HIPAA rule: It’s easiest to organize a risk management plan the same way HIPAA is outlined. Line item each HIPAA rule, and work from there. That way, you won’t miss anything important.
- Your plan: Next to each HIPAA rule, detail your organization’s plans to comply with each rule. This portion should outline the detailed action plan for your risks.
- Risk level: Each vulnerability discovered from your risk analysis should be noted in the corresponding HIPAA rule, and given a risk level (high, medium, low).
- Date completed: Including a date completed section is helpful for both HHS documentation and your own records.
- Completed by: This is great for practices where two or more people (such as a doctor and office manager) are working to complete a risk management plan together.
- Notes section: It’s helpful to include a comments section next to each requirement, including what policy is associated with the requirement; this helps you stay organized for years to come.
Creating this plan from scratch will likely take you the entire month (or longer), and should be a joint effort among directors, IT, security administrators, etc.
START FIXING YOUR PROBLEMS
Now, you have one giant list of HIPAA compliance to do’s. Instead of feeling relieved that you’ve created a risk management plan, you might feel overwhelmed. After all, you haven’t even started fixing any of your problems yet. You’ve just been researching and documenting.
Don’t get overwhelmed. Instead, prioritize.
It’s not about finding time. It’s about maximizing the little time you have.
As you prioritize, ask yourself:
- What are the most important parts of your risk management plan?
- Which vulnerabilities are most likely to be exploited this year?
- Where are our highest threats?
HIPAA compliance doesn’t have to be unmanageable. Break it up into manageable pieces. Start with small changes, such as designating a privacy and security officer, updating your systems, or training employees.
Pick the top five problems at your organization and tackle those first. Make an action plan for the next five problems. Pretty soon, you’ll be on your way to total HIPAA compliance.
CREATE AN INCIDENT RESPONSE PLAN
A lot of healthcare organizations have an incident response plan . . . but it’s been collecting dust on a shelf for five years. It’s time to pull it out, blow off the dust, and update it. Your systems, processes, and personnel change constantly. New possible incidents arise every year that your employees might not be prepared to deal with.
When creating your plan, use the information gleaned from your risk analysis and risk management plan to create realistic example situations.
staff must be trained regularly on this plan to effectively execute it.
Here are some questions to ask yourself when you create your incident response plan:
- What types of security precautions are in place?
- What is the protocol if an employee suspects a data breach?
- Internally and externally, who should be notified if an incident occurs?
- Do employees know their responsibilities before, during, and after an incident?
- What if a co-location or business associate is involved in the incident?
TEST YOUR INCIDENT RESPONSE PLAN
Through comprehensive testing, you’ll be able to answer the real question that matters: Does your incident response plan actually work?
Why do fire drills exist? If people already know where to go and what to do when the fire alarm goes off, they don’t think. They just act. The same principle applies to testing your incident response plan.
By testing, you see how employees work together, what kinds of decisions they make in stressful conditions, and how fast they resolve issues. You’ll see if they follow the plan, follow policies, or just wing it.
When crafting tests, pay attention to the situations most likely to arise in your organization, and test your employees on those circumstances. Document failures and successes during your test, and use the results to adjust the incident response plan or training as needed.
GET BUSINESS ASSOCIATES ON BOARD
It doesn’t matter what type of organization you are: third parties impact your security. Sometimes third parties do a stellar job at security. Other times, they fail miserably. That’s why you must be hyper-vigilant with every third party that could impact the security of your patient data.
Healthcare entities often believe their business associate agreements cover them in case of a breach. Unfortunately, that’s not accurate.
HIPAA Omnibus ruling states that even if a business associate has never signed a business associate agreement (BAA), they may still be held liable. This also means the covered entity carries liability as well. Specifically, the HIPAA Final Omnibus Rule requires covered entities to implement or update a BAA for all relationships wherein the business associate creates, receives, maintains, or transmits electronic patient information.
It’s common for third party vendors to not fully realize they are part of HIPAA regulations, as they may not actually view healthcare data. That’s why this month is a good time to educate your third party vendors, and determine the risk they pose to you and your data. If they are unwilling to sign a BAA, it may be advisable to seek out vendors that will treat your data more securely and are contractually willing to protect it.
If you’re like 90% of healthcare organizations out there, you already have organizational policies. But they probably haven’t been reviewed or updated in years. Or perhaps you have policies, but they haven’t been properly documented.
To maintain HIPAA compliance, update your current policy and procedure documentation, and ensure employees are appropriately trained.
The HHS takes written policies very seriously. For example, Adult & Pediatric Dermatology, P.C. was fined $150,000 by the HHS for not having breach notification policies.
Policies define what and how your organization protects PHI. They should provide guidelines on what workforce members can and can’t do. A policy is basically a security framework for your employees. Here are the policies you should implement at your organization.
Breach notification policies
Your policy should include documentation of:
- Members and contact information of your breach response team
- State and federal breach response laws
- Who to notify in case of a breach (e.g., stakeholders, the HHS, law enforcement, patients, and the public)
- Response timelines
A few examples of good security policies to include in your business plan include:
- Firewall configuration standards
- Job descriptions
- Network time protocol (NTP) configuration procedures
- Physical security procedures
- Security awareness training procedures
- Workstation functions
A few examples of good privacy policies to include in your business plan include:
- Accounting of disclosures of PHI
- Patient access to PHI
- Authorization for release of PHI
- Minimum necessary for uses and disclosures of PHI
- Emailing PHI
- Safeguarding and storing PHI
- Destruction of PHI
Remember, a policy is only as good as its enforcement. Don’t let your policies sit on a shelf! Train your employees on company policies, or all that policy writing will have been for nothing. Review policies on a regular basis to ensure they are updated with system, personnel, and technology changes.
ASSESS YOUR PROCESS
HIPAA shouldn’t necessarily be an annual process; it should be an ongoing process. You should do a deep dive and reanalyze your HIPAA compliance plan every year.
Assess where you are, and how far you’ve come. Set HIPAA goals and milestones for next year. Plan out employee trainings based on risks and vulnerabilities you found during your risk assessment this year.
As always, don’t forget to document your plans for next year!
HIPAA compliance doesn’t have to be an impossible task. Break compliance into small manageable pieces, such as starting your risk analysis, creating an incident response plan, or search where PHI is being stored.
HIPAA compliance is never completely finished. Your environment is constantly shifting with changes to new workforce, technology, security policies, and medical processes. Because of this, HIPAA should be an ongoing “business as usual” process.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.