Making HIPAA compliance easy is like trying to catch a firefly in your hand. I’m also reminded of those really short video summaries of A Game of Thrones where you get a plot twist a second, and the commentator describes the whole season in a rapid-fire monologue.
We offer our law clients a questionnaire to help explain the HIPAA Security Rule in an abbreviated, relatively understandable format that will help us produce a good first draft of the HIPAA Privacy and Security Manual with respect to protected health information (PHI), and, guide the extensive, subsequent implementation that will be required of the client’s company.
Our questions below are below are directed to a covered entity and in some cases will be narrower for a business associate. As well, state law will have to be consulted.
Much of HIPAA compliance is technical. As HIPAA lawyers, our role in part is to guide you as to whether it seems reasonable to conclude that: (a) you are required to implement an addressable specification (see below), or, (b) have reasonably and appropriately done so.
This is more an art than a science, and requires a bit of legal and operational judgment, which we arrive at collaboratively.
As well, we can guide you further as you drill down into organizational implementation of these somewhat esoteric and detailed standards.
At any rate, I said “easy” so here it is.
But first,please note two overarching points with respect to the HIPAA Security Rule:
- HIPAA compliance is scalable. There is no standard way to approach compliance with the HIPAA Security Rule; rather, A security program should be based on the risks with respect to electronic PHI (ePHI). Factors to evaluate risk include: (1) the company’s size, complexity, and capabilities company; (2) the company’s technical infrastructure, hardware, and software security capabilities; (3) the costs of security measures; and (4) the probability and criticality of potential risks to ePHI. Security controls are proportionate to risk.
- The HIPAA Security Rule includes both “required” and “addressable” standards. When a standard is “addressable,” the Company must determine how (or whether) it is reasonable and appropriate to create a policy and procedure to meet the implementation specification.
Since much of HIPAA security compliance is scalable, we can work with smaller offices to reduce the burden.
Because the Privacy Rule portion of HIPAA is more intuitive than the Security Rule, we do not include questions relevant to the Security Rule on the questionnaire.
1. Security Management Process. This rule focuses, among other things, on risk analysis and risk management. To begin, please generally describe your overall environment with respect to the transmission of patients’ protected health information (PHI) internally or externally (i.e., to insurance companies, billing agent, Medicare/Medicare, etc.).
Do you have a policy to sanction employees for misconduct? Please indicate yes or no, and if yes, describe.
2. Assigned Security Responsibility. You will need to appoint a Security Official, who will be responsible for implementing Security Rule policies and procedures. Who will this be? Do you have an internal head of IT or external IT consultant who can fill the role?
3. Workforce Security. This rule governs security of access to ePHI by members of the workforce. In general, the company must provide only the minimum necessary access to ePHI that is required for a workforce member to do his or her job.
How many people are in your workforce (employees and independent contractors)? .
Which of these have access to electronic PHI? .
What procedures do you have in mind to clear personnel for access to ePHI?
4. Information Access Management. This rule has to do with restricting access to ePHI to appropriate personnel. How will the company decide who can have access—i.e., who “needs to know?”—and how will the company grant or deny access?
5. Security Awareness & Training. The company has an obligation to train staff regarding HIPAA security, and, to create ongoing awareness of security issues. We offer HIPAA online training to staff through a course managed by a separate company (see link). Does the company have thoughts about how to create security awareness, including policies to monitor log-in, monitor passwords, and so on?
Which state’s law will control a confidentiality and security agreement with staff (typically, the state in which the company operates)?
6. Security Incident Procedures. What kinds of procedures will the company implement to record security incidents (among other things, this can include a security incident report):
We also address these other aspects of the HIPAA Security Rule compliance process:
- contingency plan
- business associate
- facility access controls
- workstation use
- workstation security
- device and media contorls
- access controls
- audit controls
- person or entity authentication
- transmission security
- policies and procedures; documentation
Our law firm strives to make the HIPAA compliance process as painless for the organization as possible. Contact our HIPAA lawyers regarding your privacy and security needs with respect to protected health information (PHI).
Or: see our online HIPAA training link.