Solutions

Solutions powered by
Learn More.
abaqis for Skilled Nursing

abaqis®

Mitigate risk and elevate your quality of care. Improving both clinical and business outcomes starts with a smarter, more integrated approach to regulatory training, continuing education and quality management.

Learn More

NEW TO THE STORE

hStream Content Marketplace

NurseGrid Learn

Online store for Clinical Learners. Individual CE Credit and industry products for Clinical Learners are now available through NurseGrid Learn (Beta). Explore our robust collection of courses that provides an unparalleled level of flexibility and choice.

DEA MATE Opioid and Substance Use for Practitioners

Meet the DEA's new requirement under the Medication Access and Training Expansion (MATE) Act in an online and self-paced 8-hour DEA MATE Act course specifically designed for practitioners, including Physicians, PAs, NPs, Pharmacists, Dentists and others.

LATEST & POPULAR

BLOG

Nurse Strikes are Scary, but License Verification Doesn’t Have to be
BLOG

Mind Matters: The Interplay of Staff Wellness in Quality Outcomes
BLOG

Unlocking Revenue in Healthcare: The Power of Efficient Credentialing
On-Demand Webinar

Understanding ENA’s Emergency Severity Index Handbook, 5th Edition
On-Demand Webinar

From Regulations to Realities: Nurse Staffing, Unions, and the ShiftWizard Advantage
On-Demand Webinar

myClinicalExchange Empowers Logan Health to Transform Student Onboarding

< HealthStream Resources

blog-images_healthcareconcepts_608x320_artboard-22_o

Three Essential Best Practices for HIPAA Compliance

April 1, 2021
April 1, 2021

This blog post is taken from a recent Webinar featuring Marti Arvin, Vice President of Audit Strategy at CynergisTek.

There have been 17 HIPAA enforcement actions since the beginning of 2016, over a period of 15 months. Most of these were the result of self-disclosure where the organization was required to contact the Office for Civil Rights (OCR about a notifiable breach. Two of the 17 were the result of a complaint filed by individuals regarding the protection of their data. Fifteen, or almost 90%, were resolved by settlement with a resolution agreement and corrective action plan. Two were resolved via the formal resolution process. Here are some best practices for ensuring your organization remains compliant.

Monitor and Update BAAs

Some of the key issues involved in these cases are the absence of a business associate agreement (BAA) or failure to update the BAA for changes under the HITECH law. I’ve seen organizations with BAAs that include language to the effect the BAA would automatically include any amendments to the rule. The problem here is that HITECH changes were not technically amendments to the rule. OCR is likely looking for more structured and formal language addressing HITECH changes.

Many organizations tell me they don’t feel comfortable that they’re capturing all their business associate relationships. If your contracting goes through a single source within your organization, this is easier to do. If it’s decentralized, then anyone who can enter into an agreement must fully understand what triggers the need for a BAA or know who can help them.

The key takeaways here: have a process for identifying, evaluating, monitoring and ending business associate agreements.

Monitor and Audit Access to PHI

Organizations must have a strong program for auditing access and monitoring access by both your workforce members and the employees of any third parties with access to your systems. Many do this well for their workforce members, but find it more challenging to do so for third parties. You should require affiliated organizations to provide proof of training and consider conducting a site visit. It’s important to know their privacy and security incident history. What have they had happened? What are some of the issues that they’ve encountered?

Perform Adequate and Routine Risk Analyses

Another key finding is the failure to perform a risk analysis or conducting an inadequate risk analysis. Risks must be assessed on a routine basis. For example, if you performed one in 2005 and another in 2010, and you haven’t performed one since, OCR is unlikely to find this adequate. I suggest letting no more than three years elapse between assessments. The OCR audit process for phase two requires an organization to provide both their prior and most recent risk assessments along with evidence of mitigation of identified risks.

To learn more, watch the full Webinar here.