We’ve Got HIPAA Training, So We’re Done. Right?
When thinking about HIPAA compliance, training is usually what immediately comes to mind. And once you’ve trained, or your employees have trained, you’re done right? The short answer is no.
The Longer Answer
HIPAA training is only one piece of the compliance puzzle. The other two legal requirements are 1) a Risk Assessment and 2) a Book of Evidence.
- Risk Assessment – A risk assessment is a list of government mandated questions. These ask you and your organization to think through the existing policies and procedures around data security. By completing a risk assessment, you will identify where there are gaps in your systems and identify risk areas.
- Book of Evidence – A book of evidence holds all your policies and procedures around PHI and ePHI. This includes how your company and employees handle the data, and what should be done in the event of a breach. A book of evidence houses privacy and patient policies, disaster recovery policies, and templates for data breach notifications.
Why Should We Care About a Risk Assessment or Book of Evidence?
Aside from being legal requirements, both of these items are extremely useful to ensure your employees put their HIPAA training to use and know what they should be doing.
Risk assessments help you see where there are gaps in your systems and procedures. This can be in your digital environment or your physical environment. Do you shut down employee access when someone quits/is fired? Are doors locked to rooms where PHI is kept? If there’s an emergency, do you have a disaster recovery plan?
In a Book of Evidence, you map out the solutions to those gaps and provide documentation of your policies. Use your Book of Evidence as part of employee training so everyone knows how to keep data secure, and what to do if the security is ever compromised.
The three pieces to HIPAA compliance together ensure everyone knows what needs to be done on an ongoing basis to keep PHI secure and how to do it.