December 3, 2020 Who doesn’t love the whole “new year, new you” excitement but before you press fast forward on the month of December there’s a few key pieces of HIPAA you are probably missing – but can still catch up on before December 31 HIPAA deadlines hit. You may be thinking “I did my Security Risk Analysis, I’m good!” or even “we did training that one time, we’re fine!”. Don’t shoot the messenger, but there’s a LOT of other pieces that go into your HIPAA program besides annual HIPAA training and the Security Risk Analysis. Before you panic, you aren’t alone – on the latest round of OCR audits, they found that only 17% of practices had performed a Security Risk Analysis, and only 6% had a security risk management program (the documentation, policies, and additional HIPAA pieces required) in place. What do I need by December 31? So what do you actually need in place, and how do you get this new checklist completed before the end of the month? First, let’s cover what you need to have at a minimum: 1. Your Security Risk Analysis (SRA) We call this the first step in HIPAA compliance for a reason. The SRA sets the baseline for your practice by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Your SRA must be updated annually, and should be more than a generic checklist – it should cover all the aspects of your practice most at risk, and should provide you with actionable insights to your high, medium and low risk areas. 2. Annual HIPAA Training If your practice has the first requirement down, you may also have HIPAA training somewhere on your radar. Some practices either do training once, instead of annually as required, or fail to document training correctly. You should have a certificate or other record of completion for each staff member, dated within 2020, to meet this requirement. The easiest way to do HIPAA training? Using an automated system lets staff take training individually, without having to shut down your practice or hire an outside trainer for a day. 3. Documented Policies & Procedures This is where practices might start to miss the mark. You may have a few policies, or an older HIPAA manual perhaps, but documentation to the government standards is key to meeting this requirement. That means having updated, current and specific documentation that accurately reflects your practice operations today (instead of an outdated manual from 6 years ago) and touches on all HIPAA requirements – not just one or two areas. 4. Updated HIPAA Logs If you have all of the above (major kudos if you do), having the right logs of all HIPAA related access, assets and possible breaches is still a commonly missed area, and is key to documenting how your practice handled HIPAA incidents in the past year. All of these pieces should be completed on an annual basis, and tie into the many other requirements that go into a complete HIPAA program. How do I do it by the end of the year? If any of the above sound scary or completely left-field to you – don’t panic! Taking one piece at a time, starting with your SRA, will help you chip away at these requirements. Odds are you probably have a piece or two, but may be missing additional aspects of your HIPAA program. There’s a few ways you can tackle these requirements, including: No matter what you do, leaving HIPAA to the last minute may leave you in a bit of a time crunch, and failing to complete these requirements will leave your practice open to hefty fines. Thankfully, there is an easy solution that will check everything off your list with plenty of time left to enjoy the holidays instead of stressing about HIPAA! Schedule a quick consultation with a HIPAA expert and see where you might be missing the mark, and how Abyde could help you breeze through these requirements before December 31.