HIPAA Compliance Efforts: Planning for the Worst and Hoping for the Best
Planning your HIPAA success is probably the last thing on your mind. As a busy healthcare professional, you deal with multiple roaring fires all day long every day. Because you are so busy, it is easy to put off HIPAA compliance and simply hope for the best. What you may not realize is your burning compliance ember can quickly become an uncontrollable forest fire. Hoping for the best with your HIPAA compliance program has several problems:
- The Office of Civil Rights (OCR) is conducting audits to ensure compliance
- Healthcare breaches are on the rise resulting in costly fines
- It is no longer IF you will experience a breach, but WHEN
Reactive Versus Proactive Compliance
The OCR is auditing organizations of all sizes. In the beginning years of HIPAA it had no teeth. The audits have changed that. The OCR now expects organizations to be proactive in their compliance efforts. Reactive compliance is a thing of the past.
Proactive compliance is imperative to the health of your business. Fines can reach as high as $1.5 Million per incident per calendar year. The largest HIPAA fine was $4.8 Million. Failing to be proactive in your HIPAA compliance efforts will not only put you at risk if you are audited; but, will also put you at increased risk for a breach with a lofty fine.
Most importantly, proactive compliance protects your patients. Patients do not always remember their own health issues. Loss of access to your patient files could result in harm to your patients. Being proactive in your compliance efforts helps to ensure your patients’ data stays healthy.
Planning HIPAA Success
To plan for the worst, you need to start by conducting an a risk analysis. Be sure to assess your current policies and procedures. Ensure that you are also following them and keeping documentation of your compliance efforts. Conducting a risk analysis is not an optional task for HIPAA covered entities and their business associates, it is a required action. Your organization must determine how often a risk analysis should be conducted.
In addition to the risk analysis, you need to have a solid back-up and disaster recovery plan in place. Because the healthcare industry is the most attacked industry, failure to have this step in place could cost you years of patient information on top of lofty fines.
I understand that all this can be overwhelming. However, it is necessary to remember that compliance is not a checkbox that can be marked and then forgotten. Compliance is a journey that must be taken one step at a time. Unfortunately, it is not a journey that has an end point.