Implementing HIPAA: A 12-Month HIPAA Plan to Get Compliant
Getting HIPAA compliant can be easier if you break it down into steps.
We all know HIPAA compliance can feel like a monstrous task. Between risk analysis, firewalls, employee training, and physical security, it can be a bit overwhelming.The good news is you don’t have to get HIPAA compliant overnight.Taking on HIPAA compliance one step at a time is more effective than trying to tackle everything at once. Here is your 12-month plan for HIPAA.
1. January: Understand your organization
Before you start anything else on HIPAA, you need to find where your protected health information is located. Here are some things you should know:- How data enters your environment
- Where it’s stored
- If it’s sent off to a third party
2. February: Create and document a flow chart
A PHI flow chart is a graphical representation of where PHI comes into your organization, where it’s stored, and where it leaves.The more places that have access to patient information, the higher the chances for a data breach. That’s why flow charts are important. You can’t protect your data if you don’t know where it’s entering and leaving your organization.
SEE ALSO: PHI: It’s Literally Everywhere [Infographic]
3. March: Start regular employee training
Your employees can be one of your greatest security risks. Make a plan for how often you’ll train employees.These days, it’s not enough to do it once a year. We recommend at least quarterly, if not monthly trainings.
Have SecurityMetrics help you train your employees!
4. April: Test your employees
The best way to analyze the effectiveness of your training is to test your employees. This will help you see how your employees will react in an incident. Here are two common ways you can test employees:- Social engineering: have someone come in and try to gain access to PHI. See what your employees do. Do they question or report the person?
- Phishing: send your staff a fake phishing email created by your IT team. Track the number of opens to see how many fall for it.
5. May: Locate Problem Areas
Use the results of tests to see where your organization needs to improve in security. This is a good time to run vulnerability scans to see where you may have holes in your security. At this point, if you’ve documented everything, you’ve essentially created your HIPAA risk analysis.SEE ALSO: 5 Steps to Making a Risk Assessment
6. June: Create a risk management plan
Now that you’ve got a list of issues to resolve, you need to plan on how to resolve them through a risk management plan. Here are some things you may want to include in your plan:- Each HIPAA rule: having all the rules listed in a document will help you stay organized. It’ll keep you from missing anything important.
- Risk level: determine the risks to your organization and what level of risk they present (high, medium, low). This will help you to prioritize.
- Your plan: come up with the course of actions you will do to address your risks.
- Notes section: it’s good to include a comments section next to each requirement. This will help you stay organized and updated.
7. July: Start fixing your problems
Now you have plan, it’s time to implement it. The best way to avoid getting overwhelmed is to prioritize. Some things to ask yourself are:- What are the most important parts of your risk management plan?
- What vulnerabilities will most likely be exploited this year?
- Where are our highest threats?
8. August: Create an incident response plan
You need to create and update your incident response plan, using information from your risk analysis and risk management plan. Here are some questions you should ask:- What types of security precautions are in place?
- What’s the protocol in a data breach?
- Do employees know their responsibilities before, during and after an incident?
- What if a co-location or business associate is involved in the incident?
Include these elements in your plan and make sure employees are properly trained to respond to a data breach.
SEE ALSO: What To Do When You Get Hacked, Step-By-Step
9. September: Test your incident response plan
The best way know how your employees will react in a data breach is to test them. You can see how employees work together and how fast they resolve issues under pressure.Document failures and successes during your test, so you can make adjustments to your incident response plan.
10. October: Get business associates on board
If your business associates aren’t secure, you could still be liable in a data breach. Make sure you educate your third party vendors on HIPAA and sign a Business Associate Agreement.11. November: Update policies
Most healthcare organizations haven’t updated their organizational policies in years. Policies define what and how your organization protects PHI. It’s also very important to have these policies documented. If not, you could be held liable in a data breach. A few policies you’ll want to implement are:- Breach notification policies
- Security Policies
- Privacy Policies
12. December: Assess your process
HIPAA isn’t an annual process; it should be an ongoing process. See where you are in the HIPAA process and how far you’ve come. Set goals for next year and document those plans. This is a great time to see what’s working for your organization and HIPAA, and what could use more tweaking.SEE ALSO: Snapshot of HIPAA and Healthcare Data Security
Remember, HIPAA doesn’t have to be overwhelming; you just need to break it down into feasible steps and goals. You can’t become HIPAA compliant in a day, but if you work at it step by step, it eventually gets easier.
To learn more about getting HIPAA compliant in a year, check out our ebook, Implementing Your HIPAA Compliance Plan.