We are in the home stretch in the race to the September 23 compliance deadline. With only one month to go, whether you are a covered entity or a business associate, you should be nearly finished with your HIPAA compliance checklists. These checklists should look something like this:
- Perform or update a risk analysis to assess the potential risks and vulnerabilities of electronic PHI. This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security Rule.
- Review and update your HIPAA policies and procedures, including encryption policies, portable electronic device policies, texting policies, BYOD policies, social media policies and telecommuting policies.
- Update your Notice of Privacy Practices.
- Train (and re-train) all employees regularly to comply with your HIPAA policies and procedures.
- Encrypt, encrypt, encrypt.
- Develop a breach response plan to ensure a uniform and effective response to any data incident.
- In the event of an incident involving the unauthorized access or disclosure of PHI, timely correct the issue, document every step of your investigation into the incident, and critically analyze and document your decision whether or not the incident has a low probable risk of harm based upon HIPAA’s four factor risk assessment.
- Clearly define breach notification obligations (i.e. reporting, notification, monitoring, indemnification) in all business associate relationships.
- Update all new business associate agreements (in place after January 26, 2013) before the September 23, 2013 deadline.
- Update all existing business associate agreements (in place prior to January 26, 2013) before the September 23, 2014 extended deadline.
- Purchase data breach insurance and include data breach insurance obligations in your business associate agreements.
If you are well underway, finish strong! If you have not started, get started! Making a reasonable effort to comply will go a long way with OCR; burying your head in the sand will not.