Reminder: Document your risks and how you intend to manage them. Whether your practice has mastered compliance with the HIPAA Security Rule or you’re struggling to organize a program for 2022, there is always room for improvement. Plus, as data security incidents continue to wreak havoc across the healthcare spectrum, there’s never been a better time to protect your patients and your bottom line with a solid HIPAA compliance plan. Caveat: The HHS Office for Civil Rights (OCR) allows you to design your own risk management program based on the scope of your practice — and that can complicate planning. “Every organization is different and has a different way of approaching [its] risk analysis,” points out Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. As you begin to assess your specific organization’s risk and devise or update a plan to address your HIPAA Security Rule compliance, consider starting the process by answering this survey to find out where you stand. 1. Compliance officer: Have you designated someone as a security officer and defined the duties? 2. Procedures and protocols: Do you have a security management process that’s documented and easily accessible? 3. Risk assessment: Are your IT security, policies, and procedures reviewed often and in compliance with the regulation? 4. Risk analysis: Have you performed a risk analysis of your organization that includes identifying all of your information assets, their vulnerabilities, and your threat profile? 5. Incident response: Did you assess the impact of a breach during your risk analysis and write up an incident response plan in accordance with these expectations? 6. Staff training: Have you created a security training program for all employees that covers the HIPAA basics as well as a plan that offers focused compliance based on the tasks and job responsibilities of individual staff? 7. Risk management: Have you created a risk management plan that enables not only regulatory alignment but also viability in an ehealth environment? 8. BAs: Are you confident that your business associates (BAs) are providing the same level of security for your patients’ electronic protected health information (ePHI) as you are? Are your business associate agreements (BAAs) ironclad and compliant? 9. Disaster planning: Have you identified your most critical IT resources and outlined a business continuity/disaster recovery plan? 10. Access controls: Are authentication controls adequate to prevent unauthorized access to your systems? 11. Internal audits: Do you regularly audit your systems, utilizing monitoring and logging, to determine who had access, when they were on, and if they exceeded their access limits? 12. IDs and passwords: Do you have user login ID rules and have you established strong password requirements? 13. Equipment check: Will your devices, media, workstation, software, hardware, and virus-checking controls measure up to compliance requirements? 14. Security: Do you have a process that ensures network security as well as the physical security of your facility? 15. Third-party audits: Are systems periodically tested for effectiveness of their security features by an outside vendor, compliance company, or auditor? 16. Public relations: Do staff understand the dos and don’ts of social media, texting, and other cyber issues related to HIPAA? 17. Punishment: Do you have HIPAA enforcement procedures in place for employees who willfully violate the Rules or refuse to comply? 18. Breach management: Can all staff identify a data breach? Do you have a dedicated chain of command that every employee knows for breach confirmation, containment, and communication? 19. Culture of compliance: Do you cultivate and promote a HIPAA-compliant office culture? 20. Extra help: Have you clarified HIPAA mandate questions with legal counsel or consulted with a healthcare cybersecurity expert on device encryption, cloud safety, and patch management? Resource: Check out OCR guidance on the various HIPAA Rules at www.hhs.gov/hipaa/for-professionals/index.html.