Self Assessments and Do It Yourself Manuals
HIPAA Security compliance requires more than purchasing a “HIPAA Manual” and sticking it on a shelf. Most do it-yourself toolkits and manuals require hundreds of staff hours to complete the necessary requirements. OCR's free self assessment tool of 160 questions requiring completion of nearly 50 forms make for months of dedicated time taken from daily operations and according to OCR should not be relied upon due to many possible omissions. We do majority of the work in a week requiring much less time from the HIPAA Security Officer assigned by the practice.
You Rely on Your IT Vendor for HIPAA Security
The HIPAA Security Rule requires more than an IT security assessment, which is what most IT companies provide for HIPAA security compliance. An IT security assessment can be an important and useful tool, especially when starting a risk analysis, but it falls short of performing a systematic and comprehensive security risk analysis or documenting that one has been performed. Typically, IT security assessments do not include the administrative, physical, or organizational safeguards required by the HIPAA Security Rule. Also, IT companies may not provide written policies and procedures (such as new-hire or termination procedures) and may not provide ongoing documentation of administrative, physical, and organizational activities, such as management of business associate agreements.
You Used a HIPAA Checklist as Your Risk Analysis
Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.8 Typically, checklists don’t provide the elements of a risk analysis that must be incorporated (see “Risk Analysis” in the What Do You Need to Do? section of this document for a description of those elements).
It’s Been More than a Year Since Your Last Risk Analysis
While the HIPAA Security Rule does not specify how frequently to perform a risk analysis, the risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. [45 CFR 164.306(e) and 164.316(b)(2)(iii)] If you haven’t conducted a risk analysis in the past year, and you do not have an ongoing risk management process that includes continuous risk analysis, you may not be complying with the Security Management Process standard [45 CFR 164.308(a)(1)].9
You Have Template Policies
Many HIPAA compliance manuals come with template policies that require you to modify them to accurately reflect your practice’s specific policies and procedures. If you simply copied and pasted your practice name on template policies, your policy documents may be describing procedures that your practice does not follow or policies that may not be reasonable to implement. In any investigation or audit conducted by the Office for Civil Rights, a copy of your policy documents in effect at the time of the incident will be requested. These documents must accurately describe your implemented policies and procedures. 8Medicare and Medicaid EHR Incentive Programs: SECURITY RISK ANALYSIS TIPSHEET https://www.cms.gov/eHealth/downloads/eHealthU_SecurityRiskAnalysisFactSheet.pdf 9 OCR Guidance on Risk Analysis https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-riskanalysis/index.html?language=es
You Are Missing Documents Referenced in Policies
Most policies reference other documents, such as a Contingency Plan or Disaster Recovery Plan, Risk Management Plan, Device Inventory, etc. Documents referenced by your policies and procedures should be accurate and available for providing documentation of procedures and policy implementation. If you are missing any documents referenced in your policies, you may not be complying with your organization’s written policies.
You Haven’t Reviewed Your Policies Since Your Last Risk Analysis
The Policy and Procedures: Updates implementation specification states, “Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.” [45 CFR 164.316(b)(2)(iii)] You should manage your documentation so that it reflects the current status of security measures implemented to comply with the Security Rule. 10 If you have not reviewed your policies after your last risk analysis, your policies may not accurately reflect security measures necessary to reflect changes in your operations, technology, or business.
You Aren’t Documenting Your Compliance
Written policies and procedures are not the only documentation required by the HIPAA Security Rule. In addition to requiring the Risk Analysis to be documented, the Documentation implementation specification requires, “…if an action, activity, or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.” [45 CFR 164.316(b)(1)]. Requests for information from OCR as a result of investigations or audits, often include items that begin with “Evidence of …” or “Evidence that workforce members…”11 You may need to provide documentation that your policies and security measures have been implemented.
Your Staff is Given Generic HIPAA Training
The Sanctions implementation specification [45 CFR 164.308(a)(1)(ii)(C)] states, “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.” 12 If your workforce members have not been trained on your organization’s policies and procedures, it is difficult to enforce a Sanctions Policy for failure to comply with those policies and procedures. Additionally, Security Awareness and Training standard requires periodic retraining should be given whenever environmental or operational changes affect the security of EPHI, such as new or updated policies and procedures. Generic HIPAA training may not cover your organization’s specific policies and procedures or changes to those policies and procedures. 10 OCR HIPAA Security Series: Security Standards: Organizational, Policies and Procedures and Documentation Requirements https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf?language=es 11 OCR Data Requests obtained through Freedom of Information Act requests 12 OCR HIPAA Security Series: Security Standards: Administrative Safeguards https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es LayerCompliance.com | 800.334.6071 8
You Rely on Your EHR Software Vendor for HIPAA Security
Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR. It is solely your responsibility to have a complete risk analysis conducted and to implement the security measures necessary to comply with the standards and implementation specifications required by the HIPAA Security Rule.13