Steps Toward Compliance
Taking proactive measures now is the most effective way to minimize unauthorized uses or disclosures of PHI. At a minimum, your practice should:
- Nominate a privacy officer and security officer to be responsible for overseeing the development, implementation and maintenance of privacy policies and procedures for safeguarding PHI;
- Develop and implement a robust set of HIPAA policies and procedures;
- Regularly conduct a thorough review of existing HIPAA policies and procedures, and confirm those policies and procedures have actually been implemented and are effective. A written policy serves no purpose if it is not working or has not been implemented;
- Train workforce personnel on your policies and procedures and on common security incidents. Educate your workforce on how to identify a ransomware or phishing attack, and what action to take in the event of such an attack;
- Assemble an incident response team (IRT) and involve legal, IT and human resource representatives, among others;
- Draft an incident response plan (IRP). This will be your go-to document in the event of a breach. It should identify the IRT and clearly describe the decision-making process when handling security incidents;
- Test your IRT and IRP. This can be done by educating personnel and then testing your IRT on HIPAA compliance requirements. In addition, pose hypothetical security incidents to the IRT and have the team follow the IRP. Once completed, revise the IRP to overcome any shortcomings noted during the hypothetical scenario; and
- Perform a risk assessment, including penetration testing, of your computers, devices and electronic health record software.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney with McDonald Hopkins LLC. Contact him at [email protected].
Create an Incident Response Team & Plan
HIPAA requires all covered entitities—no matter how large or small—to plan how they would respond to security incidents (i.e., how they prepare for incidents, detect and analyze incidents, and respond to incidents). However, the scope of an incident response plan (IRP) will vary based on the organization size, and a smaller organization may have a less involved IRP (fewer decision makers, etc.), but it must still have some sort of IRP.
The first step: You must identify the members of your incident response team (IRT). Security incidents affect almost every component of an organization, and failure to properly manage an incident can result in both long- and short-term consequences. For that reason, the team should include executive decision makers in the following areas:
- Information technology;
- Risk management/insurance;
- Human resources;
- Public relations; and
- Compliance and internal audit;
- Physical security;
- Other executives, as appropriate;
- Third-party response services (e.g., forensics, privacy counsel, notification).
Small practices may not have personnel dedicated to each of these functions and may need to assign one person to cover multiple areas. Example: If your practice doesn’t have a dedicated marketing and public relations staff member, your office manager may be the best person to represent those functions on the team. Once your IRT is assembled, you should get to work on your IRP.