HIPAA is a process, not a destination . . . but it doesn’t hurt to know your timeframe.
|By: Thomas McCrory|
SEE ALSO: How Healthcare Security Complacency is Killing Your Organization
I’ll try to cover the "what is HIPAA compliance" basics and not overwhelm you. If you want to learn more, you’ll see lots of external links to places that cover certain topics more in depth (like these useful HIPAA FAQ and HIPAA Myths articles).
SEE ALSO: Snapshot of HIPAA and Healthcare Data Security
Which organizations does HIPAA apply to?HIPAA rules apply to two groups: covered entities and business associates.
- A covered entity is a health plan, healthcare clearinghouse or healthcare provider that electronically transmits any health information (e.g., doctors, dentists, pharmacies, health insurance companies, company health plans, HIEs).
- A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of a covered entity (e.g., CPA, attorney, third party IT, billing and coding, laboratories).
Learn more in depth who is responsible for HIPAA violations.
What is HIPAA compliance?In HIPAA, the OCR audit protocols are composed of the Privacy Rule, the Breach Notification Rule, and the Security Rule. Most healthcare organizations are already pretty familiar with the first two, so I generally focus on the Security Rule when discussing HIPAA compliance timeframes.
The HIPAA security challenge for most entities is technology and the fact that PHI is literally everywhere. Since the rise of electronic record implementation, it’s become more difficult to secure patient data from breach exposure. With each new mobile device, networked medical device, and computer come additional unsecured avenues to patient data.
The Security Rule shows certain requirements be met to safeguard patient data. For example: encrypting emails, logging off computers when leaving workstations, securing data backup, signing new business associate agreements, implementing risk management plans, conducting a risk analysis, enforcing security policies, and regular employee trainings.
All in all, there are 77 Security Rule requirements that encompass 254 individual validation points.
Learn more about your HIPAA security requirements.
How long does HIPAA compliance take?
I can’t accurately determine how long without a full assessment of an individual organization’s systems, workforce, and technology. And even then, the timeframe simply depends on too many variables.
Before I review those variables, let me make one thing very clear. HIPAA is not a destination, it’s a journey.
HIPAA compliance and HIPAA security are never 100% complete. Medical processes are always changing, workforce member turnover happens, technology is updated, and before you know it, the environment is significantly different from its last HIPAA assessment. My point is, HIPAA should be an ongoing ‘business as usual’ practice.
That being said, I know you’re still probably looking for a timeframe. So, let me try to estimate for you.
You may also be interested in: How Much Does HIPAA Compliance Cost?
There are a few things your timeframe will depend on, including but not limited to:
- Your organization’s type: Are you a hospital, business associate, HIE, healthcare clearinghouse, or another type of healthcare provider? Each has varying requirements necessary to safeguard patient’s information. For example, a third party IT associate who only works with a single-location doctor’s office will have fewer HIPAA to do’s than an IT organization that oversees an entire hospital’s IT department.
- Your organization’s size: Typically, the larger the organization, the more vulnerabilities it has. More workforce members, more programs, more processes, more computers, more PHI, and more departments means you should allot more time to HIPAA requirement completion. Hospitals should expect to spend much longer on the HIPAA compliance process than, say, a single-location doctor’s office.
- Your organization’s culture: If data security is one of upper management’s top priorities, increasing time spent on HIPAA compliance probably isn’t a major internal struggle. In other cases, feet draggers that don’t clearly understand the organization’s HIPAA responsibilities (from workforce members to board members) will make the process take a lot longer than necessary.
- Your organization’s environment: Because HIPAA requires the most up-to-date and secure technology, outdated medical devices, computer operating systems, firewall types, and backend server models can negatively affect your HIPAA timeframe. Where PHI is stored can make a big difference in time and investment needed to properly secure your data. A virtual environment may be cheaper and easier to upgrade than a physical environment.
- Your organization’s dedicated HIPAA workforce: Even with a dedicated HIPAA team, organizations usually require outside assistance or consulting to help them meet HIPAA requirements. Hiring an outside HIPAA consultant for a HIPAA audit will significantly reduce your organization’s time spent on items such as a risk analysis and risk management plan.
- What you’ve already completed: Obviously, if you’ve already worked on HIPAA compliance or security, it will make an impact on how much longer HIPAA will take. (Take a quick HIPAA quiz to see how you’re doing.) For example, if you’ve already conducted a risk analysis, it will significantly decrease the time you must spend on analyzing how PHI is (or isn’t) secured at your organization.
HIPAA compliance timeframesWhile accounting for the variables I listed above, here are some specific timeframes you can use to begin a HIPAA plan.
Hospitals and large healthcare organizations:
Expect HIPAA to be a full-time job for an entire team of healthcare risk and compliance professionals. If you’re starting from scratch, HIPAA compliance will likely take you 2-3 years (if not more).
Does that seem like a ridiculous estimate? First, think of how long it’s taken your employees to get up to speed with the HIPAA Privacy Rule. Now double that.
The Security Rule contains 77 requirements (three more than the Privacy Rule). Those 77 requirements have 254 validation points. Each of those validation points requires a big change in technology or process for your organization’s infrastructure. Not to mention the giant list of all business associates you’re required to monitor for HIPAA compliance as well.
The point is healthcare organizations don’t already have the infrastructure to support HIPAA’s strict security requirements regarding patient data security. It’s not just processes and trainings that need to occur. HIPAA may require an entire systems overhaul within your organization.
Because each large environment is unique, I highly recommend speaking with a HIPAA consultant who can break down what is expected of your organization and get you on a plan to HIPAA success.
Medium-sized healthcare organizations:
Medium-sized organizations are difficult to estimate, because they vary so much in size. But generally, from beginning to end, HIPAA will likely take you 1-2 years.
Because medium-sized entities usually have multiple locations, start a PHI flow chart to speed up your process. This helps identify exactly where your PHI is, where it flows, and where it’s stored to assist in your decision to implement appropriate patient data safeguards.
Single-location healthcare locations and business associates:
With a full-time staff member devoted to HIPAA, it should take a typical office less than 6 months to become compliant. If a full-time employee isn’t realistic, or if you can only afford a few hours per week, HIPAA compliance will take longer.
Lucky for you, requirements that may take a large organization years to accomplish, you can finish in half the time (e.g., business associate agreements, risk analysis, risk management plans, etc.).
Check out this this 21-day plan for HIPAA compliance, specifically for small organizations.
Start now or risk spending even more time on HIPAAWhat is HIPAA compliance? It’s the best and only government-sanctioned way to secure your patients’ sensitive medical data. It’s a necessary evil…that shouldn’t be considered evil. It’s expected.
HIPAA is not going away. In fact, I estimate that the HHS will release an updated version in the next few years.
For those putting HIPAA on the backburner, you are simply putting off the inevitable.I don’t mean to depress you with these timeframes. I hope they give you a realistic expectation for what is truly required for HIPAA compliance. If you’re not sure where to start, check out this awesome software designed to track HIPAA progress. Get a free demo here.
Thomas McCrory (CISSP, MCITP, QSA) is a Security Analyst, and has been with SecurityMetrics for a little over 2 years. He specializes in Risk Analysis and has a Master of Science Information Systems from the University of Utah. Previously, Thomas worked as an EMT for 10 years.