Steps Toward Compliance
Taking proactive measures now is the most effective way to minimize unauthorized uses or disclosures of PHI. At a minimum, your practice should:
- Nominate a privacy officer and security officer to be responsible for overseeing the development, implementation and maintenance of privacy policies and procedures for safeguarding PHI;
- Develop and implement a robust set of HIPAA policies and procedures;
- Regularly conduct a thorough review of existing HIPAA policies and procedures, and confirm those policies and procedures have actually been implemented and are effective. A written policy serves no purpose if it is not working or has not been implemented;
- Train workforce personnel on your policies and procedures and on common security incidents. Educate your workforce on how to identify a ransomware or phishing attack, and what action to take in the event of such an attack;
- Assemble an incident response team (IRT) and involve legal, IT and human resource representatives, among others;
- Draft an incident response plan (IRP). This will be your go-to document in the event of a breach. It should identify the IRT and clearly describe the decision-making process when handling security incidents;
- Test your IRT and IRP. This can be done by educating personnel and then testing your IRT on HIPAA compliance requirements. In addition, pose hypothetical security incidents to the IRT and have the team follow the IRP. Once completed, revise the IRP to overcome any shortcomings noted during the hypothetical scenario; and
- Perform a risk assessment, including penetration testing, of your computers, devices and electronic health record software.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney with McDonald Hopkins LLC. Contact him at sharris@mcdonaldhopkins.com.