Train, monitor, modify to keep procedures current. Strengthening your HIPAA compliance to mitigate your lab’s risk — there’s a New Year’s resolution worth making. Whether updating staff training, evaluating protocols, or implementing “lessons learned” from HIPAA assessments, you can make 2020 your best compliance year by following our expert steps. Step 1: Follow Your Lab’s Existing HIPAA Protocols Many HIPAA violations are a result of neglect somewhere in the compliance checklist that you already have in place. Use your existing compliance plan to its fullest by doing the following. Educate staff. “Have ongoing training and compliance and make such training a significant part of your on-boarding process with new employees,” says Danielle L. Dietrich, with Tucker Arensburg in Pittsburgh. Educating staff is not only essential to protect your patients and business, but it’s required under the Privacy Rule. “Employee training is critical. In addition to comprehensive training required by HIPAA, making sure employees consistently know their resources and first points of contact goes a long way,” explains Lauren M. Ramos, with McGuireWoods LLP in Richmond, Virginia. “Employees should know who the privacy officer is with a direct line of access, and be encouraged to ask questions or report anything unusual. An open, ongoing discussion about HIPAA compliance makes it more likely that employees will catch any issues,” Ramos says. Use audits: Make sure your lab performs internal HIPAA audits on a regular basis. As you revisit policies and procedures and outline your 2020 HIPAA program, take advantage of those audits to identify weaknesses and strengthen your compliance plan for the new year. Step 2: Don’t Skimp on Risk Assessments Complying with the HIPAA Security Rule requires “conducting security risk assessments on a routine basis,” Ramos says. In addition to being required, if the HHS Office for Civil Rights (OCR) sees that your organization has a steady — and well-documented — track record of assessing, analyzing, and managing risks, it’s more likely to work with you to minimize the breach penalties. Get expert help: “Providers who do not have the capacity to conduct their own risk assessment can hire one of many expert consultants to conduct the risk assessment for them,” Ramos advises. For example, you may want to hire a health IT expert to review your networks and systems. “Most organizations cannot meet the standards of the HIPAA Security Rule for a risk analysis without help from a third party that specializes in performing risk analyses,” acknowledges Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Orem, Utah. “Risk analysis is not a skill set you can reasonably expect your IT team to have.” If you have a small lab and think that you don’t have the budget to seek HIPAA help, remember that the financial and professional costs of a breach often far outweigh the minimal fees of engaging a compliance expert. Step 3: Address Violations Promptly Incident response and breach management continue to plague organizations big and small, requiring professional insight from legal help to forensic investigators. Have a plan: “Have an initial response plan in place, so that there are no questions or hesitation of what to do when a problem is discovered,” advises Dietrich. Act fast: When a breach is identified, “isolate the problem as quickly as possible and get the right support system in place to help guide [personnel] through the process, including attorneys and technical folks, depending on the type of breach,” she says. “If you experience a breach, follow all breach requirements and protocols on a short timeline,” Ramos agrees. “Do not sit on a suspected breach.” Remember that a covered entity (CE) must notify impacted individuals without “unreasonable delay” no later than 60 days after the “discovery” of the breach, OCR guidance reminds. Implement consequences: “Have defined policies and penalties for breaking those policies. Enforce those penalties — if you don’t enforce, the policies aren’t worth anything,” Dietrich says. Include policy update: It’s a great idea to do a monthly check-up and an annual audit of your policies and procedures, but it is especially critical to address your organization’s shortcomings after an incident. “Review your HIPAA compliance program anytime a breach or suspected breach occurs,” says Ramos. Step 4: Scrutinize Your BAs “Make sure that your vendors are also compliant — especially IT and anyone that touches patient information in any way. Ask for detailed information about their policies. Your contracts should include an indemnity clause in case that vendor is responsible for a breach,” Dietrich says. Rules and responsibility: CEs can share protected health information (PHI) with business associates (BAs) only when “the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule,” says the OCR. The OCR recently updated its guidance on the direct liability of BAs, clarifying which “party is ultimately responsible for satisfaction of various responsibilities and patient rights,” explains HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Where the BA is not responsible, the hiring entity is.” Best bet: Make sure you utilize a watertight business associate agreement (BAA) to protect your business when hiring and using vendors.