It’s 2019: Is Your HIPAA Program Compliant?

Checking in on Your HIPAA Compliance Efforts

Although the Health Insurance Portability and Accountability Act (HIPAA) was introduced more than 20 years ago, the rule has evolved over time to keep up with the new and advanced ways health care organizations store, access, share and exchange protected health information (PHI).

To be sure your organization remains in compliance and refreshes its program when needed, it’s important to regularly assess your HIPAA program—and the start of a new year presents a prime opportunity for the task. The following are three key strategies to help guide the effort.

1. Evaluate and Revisit Current Processes. At its core, HIPAA compliance regulations require organizations to have administrative, physical, and technical safeguards to guarantee the privacy and security of PHI. A thorough HIPAA review involves closely examining each of these areas to identify risk points and craft mitigation plans. For example, depending on what you discover during the assessment, you may need to adjust, or revamp policies related to compliance monitoring, access to physical data storage, electronic communications, environmental controls and so on.

Further, when it comes to staff training efforts, while employers are required to deliver timely education to all new hires, including the staff member’s role in supporting compliance, it’s critical that all employees receive annual refresher training. This will ensure that staff stay current on new developments, be informed of changes to your organization’s program and be reminded of the importance of PHI security.

2. Stay Up-to-Date on Data Security Trends. Despite an organization’s best efforts, data breaches can happen, making it critical to keep a close eye on emerging challenges and threats impacting the industry. One relatively new data security issue pertains to cloud-based technology. Organizations that work with software-as-a-service providers to store and access PHI must make sure these business associates have sufficient protections in place, and should have proactive conversations with them around existing security protocols and how those may evolve to address new threats. Even though business associates will be held accountable for any security shortfalls, health care organizations are ultimately responsible for ensuring their patients’ PHI is appropriately protected.

3. Look to See What’s Coming. For example, in September of 2018, the National Telecommunications and Information Administration (NTIA) issued a request for comment (RFC) “on ways to advance consumer privacy while protecting prosperity and innovation.” RFCs are common practice when developing Final Rules or revisions of regulatory legislation such as HIPAA. The NTIA’s RFC garnered just over 200 submissions from stakeholders, spanning from private individuals to nonprofit think tanks, to large corporations from a range of businesses and interests. The diversity of submissions is testament to the high regard and concern everyone holds for privacy while also supporting an atmosphere that fosters medical and information sharing advancements. As health care and consumer technology advance and intertwine, it’s becoming much less clear how to best protect health information and what regulations apply where. Although no decisions have been made, the coming year will likely bring changes.

Consider appointing a subject matter expert as a dedicated champion for your organization’s HIPAA compliance efforts to stay abreast of changes, the different challenges they could bring and how your organization can stay prepared.

Rely on a Trusted Partner

Although HIPAA is far from new, staying on top of the complex legislation can be a daunting prospect. By working with an expert partner like Stericycle, organizations can be confident that their privacy and security efforts are up-to-date. We offer a comprehensive suite of HIPAA solutions that address key activities such as assessment, training and more.