Getting HIPAA compliant can be easier if you break it down into steps.We all know HIPAA compliance can feel like a monstrous task. Between risk analysis, firewalls, employee training, and physical security, it can be a bit overwhelming.
The good news is you don’t have to get HIPAA compliant overnight.Taking on HIPAA compliance one step at a time is more effective than trying to tackle everything at once. Here is your 12-month plan for HIPAA.
- How data enters your environment
- Where it’s stored
- If it’s sent off to a third party
2. February: Create and document a flow chartA PHI flow chart is a graphical representation of where PHI comes into your organization, where it’s stored, and where it leaves.
The more places that have access to patient information, the higher the chances for a data breach. That’s why flow charts are important. You can’t protect your data if you don’t know where it’s entering and leaving your organization.
SEE ALSO: PHI: It’s Literally Everywhere [Infographic]
3. March: Start regular employee trainingYour employees can be one of your greatest security risks. Make a plan for how often you’ll train employees.
These days, it’s not enough to do it once a year. We recommend at least quarterly, if not monthly trainings.
Have SecurityMetrics help you train your employees!
4. April: Test your employeesThe best way to analyze the effectiveness of your training is to test your employees. This will help you see how your employees will react in an incident. Here are two common ways you can test employees:
- Social engineering: have someone come in and try to gain access to PHI. See what your employees do. Do they question or report the person?
- Phishing: send your staff a fake phishing email created by your IT team. Track the number of opens to see how many fall for it.
5. May: Locate Problem AreasUse the results of tests to see where your organization needs to improve in security. This is a good time to run vulnerability scans to see where you may have holes in your security. At this point, if you’ve documented everything, you’ve essentially created your HIPAA risk analysis.
SEE ALSO: 5 Steps to Making a Risk Assessment
6. June: Create a risk management planNow that you’ve got a list of issues to resolve, you need to plan on how to resolve them through a risk management plan. Here are some things you may want to include in your plan:
- Each HIPAA rule: having all the rules listed in a document will help you stay organized. It’ll keep you from missing anything important.
- Risk level: determine the risks to your organization and what level of risk they present (high, medium, low). This will help you to prioritize.
- Your plan: come up with the course of actions you will do to address your risks.
- Notes section: it’s good to include a comments section next to each requirement. This will help you stay organized and updated.
7. July: Start fixing your problemsNow you have plan, it’s time to implement it. The best way to avoid getting overwhelmed is to prioritize. Some things to ask yourself are:
- What are the most important parts of your risk management plan?
- What vulnerabilities will most likely be exploited this year?
- Where are our highest threats?
8. August: Create an incident response planYou need to create and update your incident response plan, using information from your risk analysis and risk management plan. Here are some questions you should ask:
- What types of security precautions are in place?
- What’s the protocol in a data breach?
- Do employees know their responsibilities before, during and after an incident?
- What if a co-location or business associate is involved in the incident?
Include these elements in your plan and make sure employees are properly trained to respond to a data breach.
SEE ALSO: What To Do When You Get Hacked, Step-By-Step
Document failures and successes during your test, so you can make adjustments to your incident response plan.
10. October: Get business associates on boardIf your business associates aren’t secure, you could still be liable in a data breach. Make sure you educate your third party vendors on HIPAA and sign a Business Associate Agreement.
11. November: Update policiesMost healthcare organizations haven’t updated their organizational policies in years. Policies define what and how your organization protects PHI. It’s also very important to have these policies documented. If not, you could be held liable in a data breach. A few policies you’ll want to implement are:
- Breach notification policies
- Security Policies
- Privacy Policies
12. December: Assess your processHIPAA isn’t an annual process; it should be an ongoing process. See where you are in the HIPAA process and how far you’ve come. Set goals for next year and document those plans. This is a great time to see what’s working for your organization and HIPAA, and what could use more tweaking.
SEE ALSO: Snapshot of HIPAA and Healthcare Data Security
Remember, HIPAA doesn’t have to be overwhelming; you just need to break it down into feasible steps and goals. You can’t become HIPAA compliant in a day, but if you work at it step by step, it eventually gets easier.
To learn more about getting HIPAA compliant in a year, check out our ebook, Implementing Your HIPAA Compliance Plan.