In 1996 the US Congress passed the Health Insurance Portability and Accountability Act (HIPAA). This new law requires the healthcare industry to protect sensitive patient health information from being disclosed without the patient’s knowledge or consent. The law specifically applies to “Covered Entities” which includes Healthcare providers, plans, clearinghouses, and business associates using or disclosing individually identifiable health information while providing services.
The law mostly establishes the following rules:
- Privacy Rule: defines what protected health information is and how it must be protected.
- Security Rule: puts the responsibility on stewards of that information to protect and secure it.
- Breach Notification Rule: requirements that organizations must notify HHS when there is a data/security breach.
- Enforcement Rule: gives HHS the authority to fine organizations that fail to meet standards, fines can reach up to $1.5 Million per violation.
- Omnibus Rule: additions made to HIPAA in 2013 that outlines the criteria for Business Associate Agreements (BAAs) and other provisions.
But since you are reading this article, you probably already know all of that. Now on to what you really want to know:
- How do I become HIPAA compliant?
- How long is it going to take?
- How much is it going to cost?
- Can anyone make this easier?
Let’s start with the first question, how do I become HIPAA compliant? Well, since HIPAA is heavily dependent on your specific organization’s inner workings, there isn’t a perfect step-by-step set of instructions that will tell you exactly how to do that. There is an entire industry of compliance experts that spend hours and hours consulting organizations on just that. However, at TeamFlow, we have created a process flow diagram that takes you through the steps that most organizations take to become compliant.
You can use this free HIPAA template as a framework for managing your compliance process. As you move forward, you could hire consultants for the specific areas that you need instead of hiring someone to manage the entire process. Your first step is to designate specific individuals in your organization into roles that will be used throughout the compliance process. These roles are Compliance Officer, Security Officer and Privacy Officer. You can come up with different names for these roles, but the important thing is to make sure that you maintain a clear definition of roles and responsibilities.
Next you need to start conducting assessments such as a Security Risk Assessment, Privacy Assessment, and an Administrative Assessment. These assessments are a tool for you to start documenting risks and identifying gaps which will go into creating a plan to remediate and address these issues in your organization. The National Institute of Standards and Technology (NIST) has a ton of great resources on how to conduct these assessments specifically for HIPAA compliance.
Now that you have identified and documented all gaps and have created your remediation plan, your next step is to develop policies & procedures for privacy/security breaches. HHS has some great resources that outline these policies and procedures. These policies mostly focus on establishing mature security procedures in your organization around training, access control and monitoring.
After you have done that, you need to communicate these policies to your staff and make them easy for anyone in your organization to access. Next you need to make sure that everyone agrees to adhering to these policies. You also need to document each attestation securely in a repository to be able to provide records in the future — like during an audit.
You must also develop a Compliance and Training Program that, for example, covers the specifics of handling and securing data, privacy and how to respond to security breaches. HHS has provided training materials you can use as a starting point for your training program. There are also paid training courses online, such as Udemy. You will need to document training certificates for all of your staff and repeat this process every year.
Next you will need to create Business Associate Agreements (BAA) and perform audits on all of your business associates to ensure they are HIPAA compliant as well. Remember that it is your responsibility as part of the Omnibus Rule to document and assess everyone you do business with that could potentially come into contact with PHI. After you have created a template of your BAA document, you will need to execute this into signed agreements with all of your business associates.
After that is completed, you will now need to develop a process for security/privacy incidents or breaches. It is important that you have mechanisms in your organization for staff to be able to anonymously report incidents. You need to investigate each incident and if proven to be a valid breach you must report this to HHS by Submitting Notice of a Breach to the Secretary.
How much is this going to cost and how long will it take?
Okay, okay, so we talked about how you become HIPAA compliant, but we haven’t spoken much about the costs or time involved. The costs can vary wildly between official filing fees (technically the bare minimum) to the likely many additional costs like for consulting, internal resource utilization, etc. According to SecurityMetrics, the bare minimum cost is around $1,000 but can go up to $50,000 and beyond depending on your organization’s size and complexity.
In our free HIPAA template we estimate the time for this process to be around 4 and a half months. But again that can vary greatly on how long it takes for your organization to complete all of the above steps and any blockers you may encounter along the way.
Can anyone make this easier?
Finally, on to our last question: Can anyone make this easier? Well, the answer is yes! At TeamFlow, we have tried to do exactly that. We created an easy-to-use free HIPAA template that makes getting started with HIPAA convenient for any organization of any size.
You can get started by signing up for a free account and clicking “New” to start a diagram. Next click “From Template” and choose the “HIPAA Compliance” template. Select “Project” to take advantage of project management features like tracking actual costs/time vs planned costs/time. This also allows you to check off tasks as they are completed to follow along with your completion percentage.
There are many other great features such as automation, real-time collaboration, publishing, analysis/reporting and more. TeamFlow is free forever for a single-user account and paid plans are available for professionals and multi-user organizations. Organization accounts can take full advantage of all features and build a Process Repository to securely store all documents, policies and procedures related to HIPAA or any other compliance you may need.
In conclusion, HIPAA is a complex and difficult process for most organizations to follow. Hopefully this guide has been a helpful resource to you while navigating the challenging world of healthcare compliance. If you have any suggestions or feedback on this article, please drop us a line. As always, thank you for reading and we hope you check back soon for more helpful guides on compliance and other industry topics. To get notifications on when we post our next article, please follow us on Twitter and LinkedIn.