Spring isn’t the only season for refreshing and renewing business practices. With a back-to-school, change-is-in-the-air feel to it, fall also provides a great opportunity to review and reinforce your business practices — including data security and HIPAA compliance.

hipaa compliance reviewThis fall is a particularly good time to assess where you stand on critical issues, since the summer of 2015 was darkened by some particularly disturbing security breaches — including at the Office of Personnel Management and the UCLA Health System.

This 10-point checklist provides key areas you can review and strengthen your security and compliance — so you can ensure your security and compliance gets gold stars at every level of your organization.

1.  Send Staff Back to School — Literally.

Ongoing education plays a critical role in the challenge of protecting sensitive information. Make sure all new staff members have received appropriate HIPAA and other security training, and existing staff members get a refresher. You can also evaluate your current training program to ensure it addresses all critical, updated, and new issues.

2. Educate the C-suite, too.

The recent media stories on big breaches are a great door opener to the C-suite, where risk aversion is always high. Make sure your leadership understands the risks, and how your legal, compliance, and IT teams are addressing them.

3. Review and Update Your Security Risk Assessment.

Both covered entities and business associates need to perform a security risk assessment and update it annually. In particular, check for any operational changes in your security environment.

4. Inventory Your Business Associate Arrangements.

Assess your associate handling policies to ensure compliance as required in Phase II HIPAA audits. You need to, for example, have a single repository with a list of all of your business associates and your business associate agreements (BAAs), appropriate contracting practices, and a BAA template that reflects the relationship between the parties and the services provided.

5. Develop Applicable HIPAA Privacy, Security, and Breach Notification Policies and Procedures.

Make sure you have the following in place: a complete set of implemented, up-to-date Policies and Procedures for the three HIPAA rules; PnPs to the workforce; versioning control of established PnPs; and previous versions of PnPs to meet regulatory requirements.

6. Complete a Security Rule Non-Technical Assessment.

An initial assessment should include evidence to show that an assessment of compliance with all relevant sections of the HIPAA Security Rule. It also must show evidence that the organization periodically performs an assessment of its compliance with internal PnPs relevant to the Security Rule and the HIPAA Security Rule.

7. Complete a HIPAA Security Rule Technical Security Evaluation (Technical Testing).

An initial assessment should include evidence that your organization has completed appropriate ongoing technical testing of the security environment to validate the effectiveness of controls it has implemented.

8. Complete a Privacy Rule and Breach Rule Assessment.

An assessment should include evidence that you’ve executed a formal HIPAA Privacy and Breach Notification compliance program. Also, that your organization periodically performs an assessment of its compliance with its internal PnPs relevant to the Privacy and Breach Notification Rules and the Rules.

9. Assess Your Cyber Liability Insurance Program.

Gather evidence for your cyber liability insurance program and information. Documents should include a summary overview of annual revenue and workforce members, a copy of current general liability and cyber liability insurance policies, and any other relevant insurance forms.

10. Establish and Execute a Remediation Plan.

Gather evidence that your organization has taken the steps necessary to prioritize and remediate discovered gaps in your current privacy, security, compliance, and information risk management program. Examples include periodic reports to a Compliance/Oversight Committee on results of assessments, remediation plans, and progress.

Clearwater Compliance can help you make sure you’ve crossed all the t’s and dotted all of the i’s during your fall security and compliance review and update. Contact us using the form below for more information about our 10 Point Strategic HIPAA Compliance Assessment.

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.