December 3, 2020
Who doesn’t love the whole “new year, new you” excitement but before you press fast forward on the month of December there’s a few key pieces of HIPAA you are probably missing – but can still catch up on before December 31 HIPAA deadlines hit.
You may be thinking “I did my Security Risk Analysis, I’m good!” or even “we did training that one time, we’re fine!”. Don’t shoot the messenger, but there’s a LOT of other pieces that go into your HIPAA program besides annual HIPAA training and the Security Risk Analysis. Before you panic, you aren’t alone – on the latest round of OCR audits, they found that only 17% of practices had performed a Security Risk Analysis, and only 6% had a security risk management program (the documentation, policies, and additional HIPAA pieces required) in place.
What do I need by December 31?
So what do you actually need in place, and how do you get this new checklist completed before the end of the month? First, let’s cover what you need to have at a minimum:
1. Your Security Risk Analysis (SRA)
We call this the first step in HIPAA compliance for a reason. The SRA sets the baseline for your practice by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Your SRA must be updated annually, and should be more than a generic checklist – it should cover all the aspects of your practice most at risk, and should provide you with actionable insights to your high, medium and low risk areas.
2. Annual HIPAA Training
If your practice has the first requirement down, you may also have HIPAA training somewhere on your radar. Some practices either do training once, instead of annually as required, or fail to document training correctly. You should have a certificate or other record of completion for each staff member, dated within 2020, to meet this requirement. The easiest way to do HIPAA training? Using an automated system lets staff take training individually, without having to shut down your practice or hire an outside trainer for a day.
3. Documented Policies & Procedures
This is where practices might start to miss the mark. You may have a few policies, or an older HIPAA manual perhaps, but documentation to the government standards is key to meeting this requirement. That means having updated, current and specific documentation that accurately reflects your practice operations today (instead of an outdated manual from 6 years ago) and touches on all HIPAA requirements – not just one or two areas.
4. Updated HIPAA Logs
If you have all of the above (major kudos if you do), having the right logs of all HIPAA related access, assets and possible breaches is still a commonly missed area, and is key to documenting how your practice handled HIPAA incidents in the past year.
- The asset log (emphasized this past August by the OCR as a key way to track technical safeguards) should log all active and inactive devices that have or had access to PHI, where those devices are located (or disposed of), and if they are encrypted how they are protected.
- The access log should track any irregular access to PHI, such as from vendors or non-staff members, to determine if a breach occurs who had access to the breached information at that time. This can be a paper check in log, or done electronically within your HIPAA software (if you’re cool enough to have a HIPAA solution that does so – *wink wink*).
- Your breach log should track any possible or suspected breaches, and help you complete a breach risk assessment of any incident. If an incident does occur, or you suspect an incident may have occurred, logging the data and assessing the facts around the breach will help you determine how and if to report the incident to meet reporting timeline requirements as best as possible.
All of these pieces should be completed on an annual basis, and tie into the many other requirements that go into a complete HIPAA program.
How do I do it by the end of the year?
If any of the above sound scary or completely left-field to you – don’t panic! Taking one piece at a time, starting with your SRA, will help you chip away at these requirements. Odds are you probably have a piece or two, but may be missing additional aspects of your HIPAA program. There’s a few ways you can tackle these requirements, including:
- Trying to complete them on your own, including manually editing all policies and shutting down to complete staff HIPAA training.
- Hiring a consultant to come into your office, who would manually complete your SRA and policies (if customized) but may still require significant staff time to collect your answers and lead training.
- Choosing an automated HIPAA solution that will do the work for you, dynamically generate your specific policies, guide you through your SRA, and automate all training (we’re probably a little biased, full disclosure).
No matter what you do, leaving HIPAA to the last minute may leave you in a bit of a time crunch, and failing to complete these requirements will leave your practice open to hefty fines.
Thankfully, there is an easy solution that will check everything off your list with plenty of time left to enjoy the holidays instead of stressing about HIPAA! Schedule a quick consultation with a HIPAA expert and see where you might be missing the mark, and how Abyde could help you breeze through these requirements before December 31.