Reader Report: Is Your Wound Clinic HIPAA Compliant?

Question 1: Are your HIPAA policies and procedures up to date, effective, and available?

Explanation: All covered entities should have organizational policies and procedures in place that address each requirement in the HIPAA Privacy and HIPAA Security regulations. These HIPAA policies also must address the changes outlined in the HITECH Act, enacted as part of American Recovery and Reinvestment Act of 2009 (the “Regulations”). Further, when the final HITECH Act regulations were published in January 2013, HIPAA policies and procedures needed updating.

Policies and procedures need to follow the requirements outlined in the Regulations, be maintained in a “Master Manual,” and be available for all employees, on an as-needed basis.

Organizations should also be monitoring employee compliance with HIPAA regulations to ensure the policies and procedures in place effectively guide employees to correctly follow required HIPAA practices. Policies and procedures need to reflect how the wound clinic actually operates. Templates of policies and procedures alone are not sufficient.

Question 2: Is your HIPAA training effective and up to date?

Explanation: HIPAA requires all covered entities to deliver HIPAA training to employees. These training presentations should be updated on a regular basis to reflect regulatory or organizational changes.

Additionally, organizations should have a system in place that evidences training completion as well as procedures to ensure that trainings are delivered and attended in accordance with internal policies and procedures. Further, organizations should have evidence to substantiate that the trainings delivered are effective in providing employees with the information necessary to comply with HIPAA.   

Question 3: Has a risk assessment been conducted and did you generate a remediation plan that is updated regularly?

Explanation: The HIPAA Security Rule’s administrative safeguards provisions require covered entities to perform a risk assessment as part of their security-management processes. When analyzing potential risks to the security of protected health information, organizations should: 1) evaluate each risk’s likelihood and impact; 2) implement appropriate security measures to address identified risks; and 3) document the selected security measures, including an explanation of the reasoning for selection. Any corrective action taken by an organization as a result of the risk-assessment findings should be monitored to completion and documented. While not part of the privacy regulations, best practice is to conduct the same risk assessment on privacy-management processes. 

Once the risk assessment is completed, a remediation plan is required. The remediation plan outlines a strategy to remediate gaps in compliance identified during the risk assessment. For each identified threat, the plan should include the risk score for the threat, the action to be taken to mitigate the threat, the individual responsible for mitigating the threat, and a target date for the threat to be mitigated. Meaningful progress in implementing the mitigation plan is required for compliance.

Because risk assessment is an ongoing process, organizations should update their risk analyses (at least annually) to ensure risks are appropriately identified, remediated, and monitored. Additionally, internal controls and security measures used should be regularly monitored and evaluated to ensure protected health information is appropriately and effectively protected.

Employees must also be trained on internal policies and procedures, not just general HIPAA concepts.

Question 4: Do you have ongoing auditing and monitoring programs for HIPAA Privacy and HIPAA Security?

Explanation: Organizations should be monitoring HIPAA Privacy and HIPAA Security compliance ongoing. Compliance officers, in conjunction with HIPAA Privacy and HIPAA Security officers, should be monitoring completion of HIPAA education, as well as detecting and investigating potential HIPAA compliance incidents occurring during daily operations. Additionally, there should be several HIPAA items included in the organization’s annual audit plan, specifically focusing on confirming patient records are accessed and disclosed appropriately and internal controls are effectively securing protected health information.

Question 5: Have you conducted due diligence on your BAs?

Explanation: With the publication of the final omnibus rules in January 2013, your relationship with your business associates (BAs) has fundamentally changed. Prior to the final omnibus rule, you had protection from civil liabilities for a HIPAA breach caused by a BA working for you under a BA agreement. This protection is gone — now you can be held liable for breaches caused by your BAs. 

You now have a requirement to investigate your BAs to ensure they are complying with the same HIPAA requirements as you, the provider, and that there is not a pattern of behavior that has caused breaches in the past or will likely cause a future breach.

Question 6: Can you provide the following?

a) The signature pages of your most recent security risk assessment
b) The signature page of your most recent remediation plan
c) The signature page of your HIPAA master policy and procedure manual
d) A copy of your most recent network vulnerability scan
e) A sample of your most recent training materials and logs

*For any questions, email jdarrah@hmpcommunications.com