The HIPAA Omnibus Final Rule effective March of 2013 puts organizations from every industry who have a business relationship with a Covered Entity at risk of being non-compliant. This could seriously damage a hard-earned reputation and brand loyalty built up through years of hard work and dedication. Most companies have no idea where to even start trying to become compliant.
That’s where Securit360 can help you with a Roadmap to Achieving HIPAA Compliance.
Conduct and document an initial risk assessment/analysis in order to check where your business is at when it comes to implementing HIPAA security safeguards, and where you need to fill in the gaps. This list of the Components of a HIPAA Risk Analysis provides a good high-level overview of what you need to include in your document.
Research and understand the HIPAA standards and your role in handling PHI. As a HIPAA compliant hosting provider, Online Tech never accesses PHI or data on clients’ servers. We only provide the secure infrastructure necessary to protect sensitive information in a fully compliant environment.
Draft a Business Associate Agreement (BAA) that clearly defines your role and obligation in handling a client’s sensitive data. Include clauses about contract termination, data ownership and breach notification.
Ideally, invest in an independent HIPAA audit of your business against the OCR HIPAA Audit Protocol in order to have the assurance and verification that your policies, procedures and services are in compliance.
Train all of your employees in HIPAA compliant policies and procedures as they affect the day-to-day operations of your company and according to the level of security needed by position – an employee that transports sensitive data will need more specific guidelines to stay compliant and prevent a data breach. Document proof of employee training and awareness, and update it every year.
Appoint a Risk Management and Security Officer position in your company to implement, manage and oversee compliance and ensure everyone is following the documented policies and procedures, preferably someone with a strong technical background.