The Health Insurance Portability and Accountability Act is a 1996 law that has been expanded and clarified over the years. It includes several rules directing the privacy and security of sensitive and private health information. The Privacy Rule dictates what must be protected. The Security Rule dictates how you must protect electronic health records. The Breach Notification Rule dictates when and how you must notify affected persons and HHS when a breach occurs.
HIPAA compliance is required of anyone who handles information that is in any way related to healthcare diagnoses, treatments, or payments.
Where do we start?
The Security Rule requires that healthcare organizations perform periodic risk analyses. This typically means an annual compliance assessment. If done right, this can answer both the risk analysis and evaluation controls. While technically you can perform these assessments internally, it is far more beneficial to have an unbiased outsider with HIPAA experience to perform these assessments. This gives you the true picture of your compliance level.
Once you've had your level of compliance with each control evaluated and risk assessed for those that are not met, you can begin to fill the gaps where you aren't compliant. Building the foundational policy and process documentation should come first. This will guide the rest of your compliance program and help with consistency and controlling costs. From there, we'll help you by implementing the technical controls within your IT infrastructure, the procedures within your business processes, and the physical controls in your building or facility.
Keep it going, long-term
Once you have your compliance program in place, you need to maintain it over the lifetime of your business. The good news is that at this point, the hardest work is done. Now you need to keep up with the changing security and compliance environment making changes to policies, procedures, and IT systems as needed. If you don't maintain your program, you'll have to start over again very soon.