When it comes to HIPAA, the government isn't making suggestions or giving ideas on how to protect patient data. HIPAA is a requirement and it must be followed. But there is the rub. Many practices throw their hands up in the air because they feel that HIPAA is just too complex and they can't meet the necessary requirements. The good news is that HIPAA security doesn't have to be complex for your practice. And even doing a few low cost steps can go a very long way in bringing you into compliance.
First, a warning. No product or service will EVER make you HIPAA compliant. Compliance is something you as the practice must achieve and maintain on a daily basis. No service or product can do that for you.
Second, no one can be HIPAA certified. There is no such thing. The Department of Health and Human Services doesn't recognize any certification process for training or services.
With that out of the way, we can proceed.
Small steps practices can do for HIPAA security
Perform a risk analysisThis is actually a required element of the HIPAA Security Rule. Every practice must perform a risk assessment, at the minimum, of once per year. Ideally, more often is better but if you performed the bare minimum, you have gone a very long way to addressing your HIPAA security items. However, simply performing one isn't enough. If you perform the risk analysis but then don't address any of the findings, you could be liable for willful neglect. Meaning you knew what was wrong and you willfully chose to ignore it. Perform your analyses, document what you did to address the findings and then document what why you couldn't address some of them (due to cost, etc).
Install a firewallThis step is no longer just a "good idea" for practices of any size. Its something everyone must do. And it can't be the "firewall" included with your internet provider's modem or a wireless router. These do not offer the protection level you will need to protract your practice. You will also want to make sure your firewall has active intrusion detection/prevention built in. This technology can detect incoming attacks in real time and block them.
Install antivirus/malware softwareIn the past, many small businesses thought antivirus software just wasn't necessary. I doubt many would think that way now. However many do want to cut corners and use free antivirus software. The problem with free is you get what you pay for. Most free antivirus programs won't perform real time analysis and scanning. This is one of the most important protective mechanisms of an antivirus program. You need that real time scanner watching in the background. Quality programs like Symantec or Malwarebytes are good choices.
Training training trainingThis may be one of the most important things on the list. Training. You need to train your office staff over and over on your HIPAA security policies. You need to make sure that the staff knows that HIPAA is serious business for your practice. After you perform training, document it. Like the old saying - if you don't document it, it didn't happen.
Document everything.This is the sauce that ties it all together. Documentation is what will save or burn you in a HIPAA audit. Documentation doesn't cost you anything but the first thing an auditor will ask you is for your documentation. Depending on how well you have done with documentation all of your steps will determine how the audit goes. Document everything that has an impact of HIPAA security. Here are some suggestions:
- Onboarding of new employees
- Firing of employees
- Training
- Risk Analysis
- Remediation of items from risk analysis
- Business Associate Agreements
Document everything that could have an impact on your HIPAA compliance.
This list gives you a good starting point that isn't expensive. This will help you begin to achieve compliance for HIPAA. However, as stated earlier, this will not make you compliant. That is something you have to do on your own. But following these steps should take you a very long way to achieving it.
