What's in Our 2018 SecurityMetrics HIPAA Guide?
A Look into the 2018 SecurityMetrics Guide to HIPAA Compliance
We are thrilled to announce the release of our brand-new HIPAA Guide! No matter the size of your organization, you can use this guide to understand and handle the more challenging requirements of HIPAA. In fact, it's already coming in handy for many of our partners. See what some of them have to say:
"The HIPAA Guide book is one of the best references. It's well-organized and easy for our medical office staff and providers to understand." -Hedy Haun, Sr. Process Analyst, SHARP Medical Group
"Words cannot express what the HIPAA Guide represents to me and all of Curis. It's like an encyclopedia for us." -George Arnau, Curis Practice Solutions
Download the 2018 HIPAA Guide here.
A better way to read and utilize our HIPAA guide
Just like many of our partners report back to us, our HIPAA Guide is best utilized as "desk-side reference." In order to increase the guide's usefulness to you we've added a new section called "How to Read This Guide." It includes a color-coded system, with reading suggestions based on your familiarity with HIPAA: beginning, intermediate, and advanced. This section discusses the skill levels likely required for policy and procedure implementation.
We understand there are many job descriptions that require HIPAA understanding, so whether you're a brand-new employee or a seasoned systems administrator--our guide is meant for you.
We also include a "Terms and Definitions" glossary at the end of the 135-page guide. This is meant to help familiarize you with data security and tech terms you may not already know.
Ultimately, we want to help you keep your patients' and customers' data safe and secure. By helping you address the most complicated aspects of data security and HIPAA, we aim to equip you with practical knowledge you can use in meetings and trainings, while drafting policies and procedures, and when making decisions about security at your practice.
Survey Data and HIPAA industry trends
This year, we conducted four surveys and received responses from over 300 healthcare professionals. These professionals are responsible for HIPAA compliance at their organizations, and work primarily at companies with less than 500 employees. And while larger organizations tend to have better HIPAA compliance, it's important that those larger organizations still take note of compliance trends at organizations of all sizes, since they will likely share data and interact with them (for instance, when a large hospital sends patient records to a smaller specialty clinic).
We asked respondents about security habits at their organizations. Training and encryption continue to challenge HIPAA teams, while many organizations fare well in the area of risk analysis. Here are just a few of our survey results:
- 6% of organizations do not conduct a formal risk analysis
- 16% of organizations report they send emails with unencrypted patient data
- 34% of organizations train employees on the HIPAA Breach Notification Rule
Top Tips for Better Data Security
As lead SecurityMetrics HIPAA auditor Brand Barney says, "Our guide was specifically created to help covered entities and business associates address the most problematic issues within HIPAA compliance.”
So, the guide focuses on commonly challenging aspects of the HIPAA Privacy, Breach Notification, and Security Rules, including:
• Incident response plans
• PHI encryption
• Business associate agreements
• Mobile device security
• HIPAA-compliant emails
• Remote access
• Vulnerability scanning
• Penetration testing
A proactive, offense-minded approach
Even with steep penalties in place, HIPAA compliance--particularly when it comes to security--is often not as complete as is thought or hoped for. In fact, according to the Identity Theft Resource Center, 24.7% of data breaches in 2017 were healthcare-related. Education is the first line of defense, so becoming familiar with the guide is one of the best ways you can proactively protect your organization from a potentially devastating data breach.