Many practices think once they have conducted a risk analysis, they are done with their HIPAA compliance efforts. Unfortunately, a risk analysis is just the beginning! You must document your ongoing HIPAA efforts through evaluations.
45 CFR § 164.308(a)(8) Evaluation – HIPAA requires organizations to review technical and non-technical aspects of their compliance efforts based on their original risk analysis. These evaluations could be based on operational or environmental changes that affect the security of ePHI.
Setting a time frame in which to perform your evaluations will be essential in determining if you are adequately protecting ePHI. Organizations may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment. An annual evaluation is recommended due the ever-changing world of technology. As software/hardware are outdated or replaced, the new devices must be reviewed to ensure they are HIPAA compliant and installed properly. Of course, if you have a major change in your organization or a data breach you may need to reorganize your quarterly plans and conduct a new risk analysis. Keep in mind, should you suffer a data breach and you have not updated your risk analysis and a vulnerability is discovered; you could be heavily fined. It is important to know if the security plans and procedures you have implemented continue to adequately protect ePHI. Some organizations do not understand the need in hiring an IT vendor with the thoughts they can do this themselves. Depending on the services that are being offered, you could be making a huge mistake. An IT vendor that specializes in data security for healthcare is essential in protecting your data and your assets.
We recommend reviewing certain aspects each quarter of each year. For instance, the first quarter review your Risk Management Plan to ensure everything is documented. It may not be necessary to update your Breach Notification Plan, but we suggest reading it to remind yourself what to do in the event of a data breach.
The second quarter would be a good time to review your Contingency Plan and make any updates. You may need to request additional information from your IT department or vendor.
The third quarter review your HIPAA Privacy Rule Policies, Procedures and Documentation. Most of these will not need any updates, but as always, it is recommended to review them, just in case something has changed.
The fourth quarter review your HIPAA Security Rule Policies, Procedures and Documentation. As in the privacy section, you may not need to update very many, but it is required under HIPAA to review them. Pay close attention to the Technical Safeguards section, as this may be where changes need to be made.
We also recommend reviewing your insurance policies and vendor contracts at least 60-90 days before they renew. This should give you ample time to review and decide if you have adequate coverage. This includes medical malpractice, life, and disability for key personnel. We also suggest reviewing your contract with your IT vendor at least 90 days before the contract terminates, some vendors add stipulations in the contract that automatically locks you in an additional year.
Cyber/breach insurance should be reviewed with an agent that specializes in this type of coverage; the average policy may not be enough to protect you.
Aris has been busy creating an automated HIPAA compliance package. With the new program, you will be able to update your plan and your policies quickly and easily. With the documentation within the system, you will be able to demonstrate your on-going HIPAA compliance efforts. Watch for the launch annoucement!
If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”