Do You Have an Effective HIPAA Compliance Program?

HIPAA Knowledge Hub

HIPAA Tracking

Check out our guide for HIPAA compliant best practices to see how your program stacks up

In 2020, there was a 25% increase in healthcare records breached. This number represents more than 29 million individual healthcare records stolen or compromised.

If you are a healthcare provider, you must protect your patients’ information. Do you have an effective HIPAA compliance program in place? Keep reading this guide for HIPAA compliant best practices. You might find ways on how your organization can improve.

What are HIPAA and PHI?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States. HIPAA controls how healthcare information gets used.

HIPAA outlines the lawful uses and disclosures of protected health information (PHI). The law was also created to modernize the flow of this information and protect it from theft and fraud. You can learn more about navigating the world of HIPAA with the rest of our HIPAA Knowledge Hub series of articles:

HIPAA Knowledge Hub  HIPAA Tracking

Protected health information (PHI) is information that can identify a client or patient. A few examples:

  • Names
  • Social security numbers
  • Phone numbers
  • Addresses
  • Credit card information
  • Facial photos

Any electronic PHI that’s accessed, stored or sent falls under HIPAA requirements. The term for this electronic information is electronically protected health information or ePHI.

Who Should Comply With HIPAA?

HIPAA applies to two different types of organizations. The legislation calls these groups a covered entity or a business associate. These types of organizations are spelled out below:

Covered Entity

Covered entities are those organizations that collect, create and send PHI records. A covered entity is a business that has direct contact with a patient. A covered entity includes health care providers (i.e., doctors, therapists).

HIPAA applies to these organizations that send patient health information in any form. This information might get sent to an insurance company for payment. It could also get sent as a referral to another specialist.

Business Associate

A business associate doesn’t see a patient. Instead, they are responsible for creating, receiving or transmitting a patient’s PHI. Examples of a business associate can range from lawyers to medical transcription companies. Medical equipment businesses also fit the definition of a business associate.

Further examples of business associates include the following:

  • Medical billing companies
  • Faxing service companies
  • Physical storage companies
  • Cloud storage companies
  • Monolithic power systems
  • Email hosting providers
  • Professional shredding companies
  • Accountants

Components of HIPAA

HIPAA requires the U.S. Department of Health and Human Services (HHS) to draft regulations that protect health data. The HHS published the following HIPAA components:

HIPAA Privacy Rule

HIPAA’s Privacy Rule sets the national standard to protect a patients’ PHI. These standards apply not only to the patient, but also to health care providers’ access as well. These privacy rule standards include the following:

  • A patient’s right to access their PHI.
  • A health care provider’s right to patient PHI.
  • A health care provider’s right to refuse access to patient PHI.
  • The required contents for an organization’s HIPAA policies and release forms.

HIPAA Security Rule

HIPAA’s Security Rule sets the national standard for handling patient ePHI. It also covers transmitting ePHI as well. The Security Rule addresses the administrative, physical, and technical protection of ePHI.

HIPAA Breach Notification Rule

HIPAA’s Breach Notification Rule sets the national standards to follow when a data breach compromises patient records. The rule also addresses two different types of breaches. The names for these breaches are Meaningful and Minor breaches.

Organizations must report all breaches, regardless of size, to HHS. The specific protocols for reporting depends on the type of breach.

HIPAA Omnibus Rule

HIPAA’s Omnibus Rule applies to both covered entities and business associates. The Omnibus Rule highlights the requirements for the covered entity and business associate contracts. These contracts must be in place before they share or transfer any ePHI or PHI.

7 Guidelines for HIPAA compliance

Does your company want to sidestep any HIPAA violation penalties? If so, you should create an effective compliance program that encompasses the central HIPAA core elements.

HHS created HIPAA guidelines called the “Seven Elements of an Effective Compliance Program.” These guidelines offer direction for an organization to consider compliance alternatives.

Companies who want to develop their own compliance program can learn from these guidelines as well.

These seven guidelines include:

01 /

Compile written procedures for standards, policies, and policies for conduct.

HIPAA compliance starts when a covered entity or business associate compiles their own written policies and practices. These policies can range from disaster recovery plans to employee codes of conduct.

These policies can also outline any employee training requirements or corrective action plans. Any policies generated should have a future-focused theme.

All staff should provide their comments or suggestions for any changes. When you request this input, your employees will accept and establish more buy-in as your company grows.

02 /

Name a compliance manager.

Your next HIPAA compliance step means identifying who is in charge of your compliance program. You can choose to assign responsibility to a compliance manager. You can also assign compliance responsibilities to a committee.

If you do assign these tasks to a committee, responsibilities can range from specific areas of discussion to creating calendars that organize how often they meet.

You should also figure out how to contact your compliance body. Identify how these committee members should work together to reach HIPAA compliance goals.

03 /

Create training programs and access to information resources.

A robust HIPAA compliance agenda won’t mean a thing if your workers don’t know anything about it. If a new worker joins your organization, have someone train them on HIPAA requirements.

Include those policies and forms your staff will need. Make sure your site provides employee knowledge testing and acknowledgment capability. Employee training should be a continuous process that ensures employees are always updated.

Your onboarding system should also be able to distribute any documents or policies that address your company’s HIPAA compliance requirements. Your employees will need access to your HIPAA information materials at all times. That’s why you should store your documentation on your online systems for easy access, such as Onspring.

That way, your new employee can use them day or night, to answer any of their questions about your company’s procedures or policies.

04 /

Create accessible communication portals.

As a business owner, you are already open to promoting a sense of transparency and openness in your business culture.

This includes confidentiality when discussing HIPAA compliance concerns. Allow your employees to share their opinions without the fear of retaliation.

Encourage your workers to seek answers if they feel insecure. Be a willing listener when your employees want to ask about a specific policy, procedure, or potential violation.

Your company’s policies and procedures should outline any available communication methods. These methods can include emails or suggestion boxes.

Also include where you will communicate any issues. Employee newsletters are a good source for this type of update vehicle. Make this information easy for your team to reach.

05 /

Specify actions.

HIPAA requires an organization to outline its specific steps to enforce the program. Tell your staff how you plan to distribute your company’s appropriate policies. Tell them what training is coming up for any procedures.

You can merge policy management with this compliance component. Send automatic notifications to staff members when your company publishes a new policy. That’s the perfect time to ask for their input on the new policy.

Once you’ve done this, you have the record to justify actions when employees don’t comply with your program.

06 /

Audit and monitor.

Think of this segment like you think of your personal automobile. Your car needs regular servicing. So does your HIPAA compliance program. Regular program review helps make sure it’s relevant and effective.

Decide what frequency you’ll want to audit your worksites. Then you can draft any follow-up plans that detail your next steps after an audit.

Automated systems will also help you plan updates further down the road. Use automated notifications to remind you that you need to renew or update your policy. Allow your compliance officer or compliance committee to access your systems.

07 /

Quickly respond and utilize corrective action plans.

Comprehensive HIPAA compliance programs should also speak to any corrective actions to address violations.

Your company’s action strategy should define the way you identify, address, and handle any compliance violations. What is the best disciplinary action? Who do you contact?

The primary focus is to fix the issue. Correct your current program where necessary so that more problems don’t happen in the future.

Take the Next Step Toward HIPAA Compliance

If you’re ready to secure HIPAA compliance for your company, then you can start today. Make sure you always have a plan to meet today’s HIPAA requirements. Bring your company’s greatest minds together to draft your plan for following the rules.

And don’t forget to use us as a resource for more helpful advice on compliance management solutions. We’re here to help your company achieve and stay HIPAA compliant. And we’ll be here when you’re ready to see our solution in action.

Let's demo

When you’re ready, we’re ready.

See what Onspring can do for your HIPAA certification plans.
Let's demo