After a summer that saw major data breaches at the Office of Personnel Management and UCLA Health System, this fall is a great time to take your organization back to school on HIPAA compliance and data security. Here are four items to add to your fall to-do list, no #2 pencils required.
1. Use proactive training for staff on threats—new and old. Don’t let HIPAA training get stale for your employees. Evaluate your current training program to ensure it addresses current threats employees will encounter, including phishing scams and mobile device issues. However, in designing training, keep in mind that your employees need guidance and reminders about more traditional, routine HIPAA issues as well. Though cutting-edge hacking and phishing may get a lot of attention, many breaches still involve low-tech problems, like the improper disposal of paper records. In addition formal training sessions, consider more regular opportunities to remind employees of HIPAA obligations and best practices:
- Have a HIPAA Awareness Week with a daily email with a HIPAA tip.
- Post reminders about document destruction near recycling bins and shared printers and faxes.
- Send employees a HIPAA quiz and give prizes to participants.
- Use the training resources available from the Office of the National Coordinator (“ONC”).
- Use the facts of recent HIPAA settlements (available on the website of the Office for Civil Rights (“OCR”)) as teaching tools.
- Document your training, both formal and informal
2. Put privacy and security front and center with the C-suite. Capitalize on the current attention to data security by bringing compliance issues and programmatic needs to the attention of the C-suite. A data breach can expose your organization to federal and state penalties and class action lawsuits, and, just as importantly, can jeopardize your organization’s reputation. Make sure leadership understands the risks, how your legal, compliance, and IT teams are addressing them, and the additional resources you may need.
3. Review and update your security risk assessment. Both covered entities and business associates need to have performed a security risk assessment and should update the assessment on at least an annual basis. An operational change in the security environment of your organization should also trigger an update. To assist, ONC and OCR have put out a Security Risk Assessment Tool in both electronic and paper forms.
4. Inventory your business associate arrangements. OCR continues to focus on business associates and will include business associates in its Phase II HIPAA audits. Whether or not your organization is audited, there are some key steps you can take to make sure it is appropriately handling business associates:
- Have a single repository with a list of all of your business associates and your business associate agreements (“BAAs”). If your organization is a business associate, have a similar list and repository for business associate agreements with covered entity clients and business associate subcontracts with vendors. If your organization is a business associate, the list should include the timelines you have agreed to for providing breach notification to covered entity clients.
- Ensure you have appropriate contracting practices in place to evaluate whether new arrangements require a BAA and to ensure legal review of BAAs drafted by another party. When using your own template BAA, ensure that it appropriately reflects the relationship between the parties and the type of services being provided.
- Do your diligence when entering into a business associate relationship with a vendor.