You’re going about your daily business serving clients and running your business. You know that patient data is sensitive. When you hear about ransomware and data breaches you might wonder if something like that could happen to your office. Of course, you know about HIPAA. Although you may not know about the HITECH Act or recent changes to federal law that increase the penalties for noncompliance and extend these laws to Business Associates. Nevertheless, you want to do the right thing and protect patient data. You want to comply with the laws. But you don’t know everything you have to do to accomplish these objectives.
Mode of Operation
You’ve got some time to figure out what to do and come up with a reasonable plan to get it done. But doing nothing is not an option. You’ve got patient data and the laws have been on the books for quite some time. Most of the patient data is in electronic form and breaches are on the rise. So are lawsuits and regulatory enforcement actions (audits & monetary penalties). Take action now to protect patient data and your business.
Plan of Action
- Start with a HIPAA Security Risk Analysis. You can’t address your risks if you don’t know what they are. Review it periodically (annually) or when you have a significant change in systems, staff, or physical infrastructure.
- Address the identified data security risks with a reasonable plan as budget and time allows.
- Review your data backup & recovery procedures. Document and test them.
- Conduct a HIPAA Privacy Risk & Breach Notification Analysis.
- Address the gaps identified in your HIPAA Privacy Risk & Breach Notification Analysis with a reasonable plan as budget and time allows.
- Identify your Business Associates (BA’s), execute HIPAA-compliant Business Associate Agreements, and secure “satisfactory assurances” that your BA’s understand their obligations to safeguard your patient data.
- Identify your team and come up with a plan to deal with an audit or a breach of patient data while you don’t have the stress of a burning fire. Things will move very quickly when one of these events occur. It’s best to have a plan in place before that happens.