HIPAA Requires Training and Risk Assessment

You undoubtedly know you have to train every employee in security awareness to protect the privacy of your patients’ health records. That’s mandatory. It’s an administrative requirement of HIPAA’s Privacy Rule (45 CFR §164.530b(i)) and Security Rule (45 CFR §164.308, 5(i)).

And you have to analyze the strengths and weaknesses of your practice’s security safeguards that protect that privacy.

HIPAA imposes those obligations—but HIPAAmart has the solution.

Our Portal provides:

  • A training video that’s complete, memorable, and easy to use. Current employees can watch it now. New employees watch it as soon as they start work. And everyone watches it again annually to stay up to date.
  • A Risk Assessment Tool. Risk Assessment is the second critical element of HIPAA compliance. You have to designate an employee to be responsible for the overall security of your patient’s electronic health records (ePHI). HIPAAmart provides a Risk Assessment Template and Questionnaire for that employee to complete every year.

The HIPAAmart Portal keeps a record of employee training and a copy of your Risk Assessment Questionnaire. Both will ensure your practice reaches the Safe Harbor of Best Practices.

“Safe Harbor” for Medical Professionals using Best Practices

Before January 5, 2020, fines, settlements and penalties for HIPAA non-compliance totaled over $40 million for the prior two years alone!

On that date Congress passed a law introducing a “Safe Harbor” protecting HIPAA-covered practices and Business Associates from those financial penalties—If they adopt so-called Best Practices, and if those Best Practices have been in place for the prior 12 months.

HIPAAmart provides a full suite of easy-to-use programs to establish your Best Practices. .

Origins of HIPAA

In 1996, after certain well-publicized releases of private medical information, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Act (HITECH) to protect private health information (PHI).

The federal Department of Health and Human Services (HHS) then set up rules to carry out those laws and to notify patients if their information is breached.

The regulations also require the Office of Civil Rights (OCR) to conduct audits to be sure that medical and related practices are complying.

HIPAAmart will help your practice achieve and remain in compliance with these requirements. You’ll be ready for any audit at any time.

HIPAA Privacy Rule and Security Rule

These rules carry out the intent of HIPAA to protect patient privacy and to ensure the security of electronic protected health information (called ePHI). The federal Office of Civil Rights (OCR) is responsible for enforcing these rules.

Your practice must comply voluntarily or face monetary penalties,  Here’s what your practice must do:

  • Make sure your patients’ ePHI is confidential but available;
  • Protect it against security threats (hacking, for example)
  • Protect it against impermissible use or disclosure (leaving it lying around publicly)
  • Make sure your employees comply with HIPAA
  • Make sure your Business Associates comply with HIPAA

There is some flexibility in the Security Rule, depending on your practice’s size. HIPAAmart can help you determine which security measures you need. Our pricing is specifically aimed at smaller practices.

Flexibility of the Security Rule based upon size of provider.

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore, the Security Rule is flexible and scalable to allow medical and related practitioners to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular practitioner will depend on the nature of the your business, your size and resources.

You will need to consider:

  • Your practice’s size, complexity, and capabilities,
  • Your practice’s technical, hardware, and software infrastructure,
  • The cost of security measures, and
  • The likelihood and possible impact of potential risks to e-PHI.

You’ll have to review and modify your security measures to continue protecting e-PHI in a changing environment—but HIPAAmart will help you do that, now and in the future.

Requirement of Risk Analysis and Management

Part of the HIPAA Security Rule requires you to analyze how well your patients’ electronic health records (ePHI) are being protected.

HIPAAmart’s Risk Assessment tool helps your practice determine:

  • Possible risks to your patients’ ePHI
  • How to fix those risks
  • How to document your fixes and why you chose them
  • How to maintain appropriate and reasonable security

You need to do this analysis as an ongoing process, but all those Best Practices will get you to Safe Harbor.

Administrative Safeguards

Your practice has to set up a variety of Administrative Safeguards under HIPAA. Ask yourself if you have:

  • A Security Management Process where you assessed your risk at least annually
  • A designated employee to be responsible for security
  • Only the proper employees with access to ePHI (role-based access).
  • Trained and supervised all employees who work with e-PHI.
  • Appropriate sanctions for employees who violate your HIPAA policies.
  • Periodically assessed how well your policies and procedures meet the Security Rule requirements.