In this lesson, we're going to look at ways you can reduce the risks to your business as it pertains to data breaches. To this end, we'll show the 3 Pillars of Success that should help eliminate your risks and keep you HIPAA compliant. And at the end of the lesson, we'll provide you with a Word about the duties of a HIPAA compliance officer.

There are several common issues we've seen over the years that greatly contribute to you or your organization not being HIPAA compliant, which increases your risk of suffering through a data breach.

Those issues include:

  • Your organization's and staff's understanding of HIPAA and HITECH laws
  • Limited or no training on how to properly handle PHI, including ePHI and oral conversations
  • A lack of risk assessments to help identify your risks to PHI
  • A limited, or no, Book of Evidence that includes your organization's policies and procedures
  • Not using the proper business associate agreements (BAAs)
  • The use of Gmail, Yahoo, MSN, AOL, and other unsecure platforms for the transmission of PHI

So, how can you and your organization be more proactive at reducing your risks and becoming more HIPAA compliant? You can institute what we describe as the 3 Pillars of Success

The 3 Pillars of Success

The 3 Pillars of Success are:

  1. Risk Assessments
  2. A Book of Evidence
  3. Compliance Training

Let's look at each of these in more detail.

Risk Assessments

Your business or organization must perform a regularly scheduled compliance risk assessment. We recommend doing this on at least an annual basis to ensure that all staff understand any changes within your organization and/or business environment that could contribute to it being less secure.

A Book of Evidence

A Book of Evidence is a basic HIPAA requirement and contains all of your organization's policies and procedures on handling PHI and ePHI, including, among other things, your business continuity plan, data breach plan, and how to handle unauthorized access of protected health information.

Compliance Training

Compliance training is an essential part of any security plan and ensures that you and your staff understand how to better protect PHI and follow all of your organization's policies and procedures.

The human firewall is the best kind of firewall, but it cannot properly function without training and education. The more you and your employees understand the risks involved and how to handle PHI, the better your organization's chances of reducing the risks of data breaches and the subsequent risks to your business.

A Word About the Duties of a HIPAA Compliance Officer

HIPAA requires that one or more people within a covered entity or business associate is assigned the duties of a HIPAA Compliance Officer. How much work is involved depends on the size of the covered entity or business associate along with the amount of PHI involved. And in smaller organizations, it is often the case that the duties of a HIPAA Compliance Officer are divided between a Privacy Officer and a Security Officer. (Our crystal ball says that we'll be digging into these roles in later lessons.)

The typical duties of a HIPAA Compliance Officer include:

  1. Gaining a thorough knowledge of the HIPAA Privacy and Security Rules and the solutions available that will allow him or her to develop a HIPAA compliance program.
  2. After developing a HIPAA compliance program, the compliance officer should document progress towards its implementation, which would include creating a system that enables the officer to monitor the status of the organization's HIPAA compliance.
  3. That system should allow the officer to prioritize efforts towards compliance and communicate priorities to others in the organization. It should also act as a conduit through which compliance concerns can be raised and organizational changes coordinated.
  4. The HIPAA Compliance Officer is responsible for developing training programs and executing training courses. These should be designed to help employees understand HIPAA compliance and how any changes implemented will affect their specific duties.
  5. The HIPAA Compliance Officer is also responsible for monitoring the Department of Health & Human Services' and their state's regulatory requirements. When new regulations or guidelines are introduced, the officer must adjust their organization's HIPAA compliance program to reflect those changes.

It's important to understand that HIPAA regulations do not define exactly what the duties of a HIPAA Compliance Officer are. Instead, HIPAA leaves it to each covered entity or business associate to establish their own duties according to their specific requirements.

Thus, in order for an organization to effectively establish the duties of a HIPAA Compliance Officer, it is necessary for that organization to first understand what those specific requirements are. And part of that would entail undertaking a risk assessment.