As the HHS Office for Civil Rights continues to issue press releases about HIPAA settlements and enforcement actions, now is a good time to re-examine HIPAA and data privacy compliance efforts. Here are three things covered entities and business associates can do to help reduce the chances of coming to the attention of OCR:
1) Make sure your compliance program actually works.
Organizations can have HIPAA compliance programs and data security policies and procedures that look great on paper, but they will be of no benefit to the organization unless they are actually effective. The government has recently issued some guidance documents that may be useful to CIOs and IT administrators that want to evaluate a compliance programs effectiveness. For example, the Department of Justice recently published some sample questions that its Fraud Section has found relevant in examining a corporate compliance program. The Department of Health and Human Services’ Office of Inspector General also published a detailed resource guide with hundreds of questions that might be useful in measuring compliance effectiveness. Although these guidance documents are not aimed at healthcare IT programs specifically, they can provide useful questions to consider.
2) Update and document your risk analysis and risk mitigation plan.
Healthcare organizations must conduct an accurate and thorough assessment of the risks to electronic protected health information, and must also document how those risks will be managed. On April 12, 2017, the HHS Office for Civil Rights announced a $400,000 settlement with a federally qualified health center that allegedly had not conducted a risk analysis until 2012, after it experienced a data breach. Its subsequent risk analyses were found to be insufficient to meet the requirements of the HIPAA Security Rule. It is important for privacy and security officials to make sure their risk analyses are thorough, written down, and are updated periodically. Companies must also have a documented plan they follow to actually address the risks they identify.
3) Don’t forget about state laws.
State data privacy and security laws are not preempted by HIPAA unless it is impossible to comply with both state law and HIPAA and state law provides less protection or more restricted access to the patient. Therefore, CIOs and IT administrators in companies that operate in multiple states need to examine the myriad state laws that apply to healthcare information. These laws are subject to change, and conducting multi-state surveys of applicable laws can be an expensive and time consuming process. Because state attorneys general and other regulatory and law enforcement agencies enforce the laws in their states, it is important to keep up with relevant state laws.