Last Quarter of the Year To Do List: HIPAA

By Olivia Wann, JD

As we enter the last quarter of the year, there are important considerations to make in reviewing your regulatory compliance program. Let's look at HIPAA.

1. Schedule HIPAA - Cybersecurity Required Training. If you haven't had your required HIPAA Training this year, now is the time to get that done.
2. Maintain training roster. Documentation of training is imperative. Once training is completed, have all those who participated sign the roster with the date of training listed. Keep the roster in the Training section of your HIPAA Manual. 
3. Review and update HIPAA Security policies to align with best practices for cybersecurity. Look at the date of your policies. Are they recent? Do you have a plan for cybersecurity implemented in your practice that all staff are following? If not, contact us about getting your HIPAA policies up-to-date. 
4. Audit business associate agreements to ensure business associates are identified and business associate agreements are on file. A business associate agreement needs to be in place for any outside or affiliated business from the practice that has access to patient records. Here are some examples of possible business associates to a dental and/or medical practice:

-A third party administrator that assists a health plan with claims processing. 
-A CPA firm whose accounting services to a health care provider involve access to protected health information. 
-An attorney whose legal services to a health plan involve access to protected health information. 

-A consultant that accesses PHI

-A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. 
-An independent medical transcriptionist that provides transcription services to a physician. 
-A pharmacy benefits manager that manages a health plans pharmacist network.  

5. Obtain an IT Scope of Duties or comparable document to clarify services provided by your IT provider. Reach out to your IT and clarify what services your IT is providing or not providing. Identify any gaps of services that must be implemented.
6. Obtain confidentiality agreements from employees. Each employee of the practice needs to sign confidentiality agreements. These forms are maintained in the employee's personnel file.
7. Update hardware inventory. Maintain a hardware inventory that details your technology assets including computers in your practice.  This is critical especially if there is a breach, or if there is an issue that you need to address with your IT. Knowing what is in your office simplifies the steps for potential security issues. 
8. Conduct a HIPAA Security Risk Assessment. Risk Assessments are required by OCR to be documented in your practice. Please reach out to us if you do not have a recent HIPAA Security Risk Assessment.
9. Create a work plan to correspond with the results of the HIPAA Risk Assessment. Based on the assessment, prepare a work plan to correct any areas you have identified. 
10. Create periodic reminders for employees to guard against phishing email attacks. Regularly remind your team about phishing emails and show samples of what these emails look like.  Read more about this topic here: https://www.oliviawann.com/blog/creating-a-human-firewall-in-your-practice