HIPAA Compliance

HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.

What is required for HIPAA Compliance?

Self-Audits

HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.

Policies, Procedures, Employee Training

Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.

Business Associate Management

Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.

Remediation Plans

Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.

Incident Management

If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule. Specific details about the HIPAA Breach Notification Rule and explored below.