HIPAA compliance requires a basic foundation. There are three fundamental steps every organization should take to be HIPAA compliant:
- Conduct a Risk Analysis. A Risk Analysis is the first requirement of the HIPAA Security Rule, and it is also a core requirement for Meaningful Use. A Risk Analysis provides a map to HIPAA compliance. Every organization subject to HIPAA must conduct a Risk Analysis and remediate gaps it identifies. Failure to conduct the Risk Analysis is a major HIPAA violation subject to fines and loss of Meaningful Use incentives.
- Implement HIPAA documentation. Every Covered Entity and Business Associate is required to have updated HIPAA documentation, including policies and procedures and Business Associate Agreements. Covered Entities must also have an updated Notice of Privacy Practices. Documentation must be updated to reflect the requirements of the HIPAA Omnibus Final Rule of 2013.
- Complete HIPAA training. Every staff member who comes into contact with Protected Health Information must complete HIPAA Workforce Training, at least annually. This brief, affordable training will help staff to understand the law’s requirements and provides practical advice on preventing breaches. The law also requires every organization to designate a Security Officer, a staff member who helps to ensure compliance. This individual should complete more comprehensive HIPAA Security Officer training.