Home Health & Hospice Week

Follow these 7 pointers to get into good HIPAA shape this year.

If you want to avoid fines and public embarrassment in 2020, make a HIPAA New Year’s resolution you can keep with this advice from the experts.

As you revisit policies and procedures and outline your 2020 HIPAA program, take advantage of internal audits done on a regular basis to maintain and encourage compliance, suggests attorney Lauren M. Ramos with McGuireWoods in Richmond, Virginia.

Add these seven tips from Ramos to your HIPAA checklist:

1. Monitor agency HIPAA protocols and procedures. Many violations are a result of neglect somewhere in the compliance checklist, and that’s why it’s crucial to keep on top of issues. “Conduct ongoing monitoring of HIPAA compliance on an entity-wide basis,” Ramos advises.

2. Don’t skimp on risk assessments. “Ensure compliance with the HIPAA Security Rule, including conducting security risk assessments on a routine basis,” she maintains. Plus, if the HHS Office for Civil Rights sees that your organization has a steady — and well-documented — track record of assessing, analyzing, and managing risks, it’s more likely to work with you to minimize the breach penalties.

3. Consult a compliance expert. “Providers who do not have the capacity to conduct their own risk assessment can hire one of many expert consultants to conduct the risk assessment for them,” counsels Ramos. And remember, smaller agencies may feel like they don’t have the budget to seek HIPAA help, but the financial and professional costs of a breach often far outweigh the minimal fees of engaging a compliance expert.

4. Address and attend violations promptly. “If you experience a breach, follow all breach requirements and protocols on a short timeline,” Ramos warns. “Do not sit on a suspected breach.” Remember that a covered entity (CE) must notify impacted individuals without “unreasonable delay” no later than 60 days after the “discovery” of the breach, OCR guidance reminds.

5. Update policies accordingly. It’s a great idea to do a monthly check-up and an annual audit of your policies and procedures, but it is especially critical to address your agency’s shortcomings after an incident. “Review your HIPAA compliance program anytime a breach or suspected breach occurs,” says Ramos.

6. Enforce strict social media rules. It can be particularly troublesome for providers to successfully navigate the various social media platforms without sinking the proverbial ship. CEs that plan to utilize Twitter or Facebook to promote their businesses must use caution and keep HIPAA in mind before posting online.

“Have a strict social media policy and make sure employees are aware of it. Often when breaches involve social media, the person disclosing the information did not realize that it constituted protected health information [PHI],” she instructs.

7. Train staff on HIPAA. Educating your staff on the nuances of HIPAA is not only essential to protect your patients and business, but it’s required under the Privacy Rule. “Employee training is critical. In addition to comprehensive training required by HIPAA, making sure employees consistently know their resources and first points of contact goes a long way,” explains Ramos.

She continues, “Employees should know who the privacy officer is with a direct line of access and be encouraged to ask questions or report anything unusual. An open, ongoing discussion about HIPAA compliance makes it more likely that employees will catch any issues.”