Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
Many organizations looking to become HIPAA compliant start with training. HIPAA training is a good basis for HIPAA compliance as it provides an overview of the regulation; however, it is not enough. There are several other elements that factor into developing an effective HIPAA compliance program. These are discussed in detail below.
Developing a HIPAA Compliance Program
The Department of Health and Human Services requires healthcare organizations, including behavioral health providers, to implement a HIPAA compliance program to ensure protected health information privacy and security. An effective HIPAA compliance program consists of self-audits, gap identification and remediation, policies and procedures, employee training, business associate management, and incident response.
- Self-audits. Behavioral health providers are required to conduct six self-audits annually. These audits include the IT Risk Analysis Questionnaire, Security Standards, HITECH Subtitle D, Asset and Device, Physical Site, and Privacy Assessment. The purpose of conducting self-audits is to measure current privacy, security, and breach notification practices against HIPAA standards.
- Gap identification and remediation. Through the completion of self-audits, gaps in current practices are identified. These gaps, also known as risks and vulnerabilities, must be addressed with remediation plans. Remediation plans should be specific and include how deficiencies will be addressed and timelines for remediation.
- Policies and procedures. Policies and procedures create guidelines for PHI’s proper uses and disclosures, how PHI is protected, and how and when to report a PHI breach. Policies and procedures must be customized for each organization to account for nuances in the way the business operates. They must also be reviewed annually and adjusted should there be any changes to business operations.
- Employee training. To ensure that employees are aware of HIPAA requirements and their organization’s policies and procedures, they must be trained annually. Effective training enables employees to ask questions when they don’t understand the training material and legally attest that they agree to abide by the training when they do understand it.
- Business associate management. The HHS requires behavioral health providers to assess their business associates’ HIPAA compliance before contracting them. This can be done by sending them a vendor questionnaire, similar to self-audits. The business associate must agree to remediate their deficiencies before working with them. Additionally, it is required to have a signed business associate agreement with each business associate before sharing PHI with them. A business associate agreement is a legal document that requires each signing party to be HIPAA compliant and maintain their compliance.
- Incident management. Any breach that affects the privacy or security of PHI must be reported. This includes unauthorized use or disclosure of PHI, hacking incidents, loss or theft of paper records, and loss or theft of unencrypted devices containing PHI. Telehealth.org also discussed 8 common HIPAA violations that increase legal risk in previous blogs. Breaches affecting less than 500 patients must be reported to the HHS’ Office for Civil Rights (OCR) and affected patients. Breaches affecting 500 or more patients must be reported to HHS’ OCR, affected patients, and local media outlets.
HIPAA Resources
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance, with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.
