Provided by Michael Ramsby, GRA Benefits
Having everything documented is maybe one of the most challenging aspects of HIPAA. However, it also is a great way to insure your agency against a breach.
Companies we speak with generally have policies they abide by, but when we ask ‘is that documented?’ the answer is ‘no.’ Not having policies documented is like not having health insurance. HIPAA compliance is your insurance policy against breaches from hackers, your employees or theft of a laptop.
Every policy, procedure or process that affects protected health information (PHI) needs to be documented. This ensures consistency across the agency and prepares you for an audit or investigation.
At minimum you should have the following four documents.
Disaster Readiness
The important part of your plan is that you have a way to recover all electronic PHI and keep it secure, even if a tornado hits your office. If a breach happens due to a tornado, you are still liable for penalties.
This plan needs to be documented and should contain:
recovery time objectives – how often back-ups are done
maximum tolerable downtime – how long your business can be down
working recovery time – how long it takes to get everything running
primary decision makers and backups – who handles emergency decisions
emergency shutdown – procedures for shutting down systems
comprehensive plans for different situations, i.e.: tornado, flood or fire. – including notifications and meeting locations
Incident and Breach Plan
This is your course of action for an incident or breach. The plan should encompass these steps:
Analyze the incident, retrieve as many details as possible.
Go through HIPAA’s 4 identification factors to determine if it is a breach.
Notify all necessary individuals and companies.
Determine further actions steps and how you will prevent a similar breach from occurring.
This plan also generally includes a checklist or template notification letter.
Change Log
HIPAA requires periodic reviews of access and activity. So having all these together provides a way to see how everything is working collectively.
A Change Log or Change Document should track any and all changes to:
servers
workstations
building security
mobile devices
GRA Benefits Group includes nearly 20 different logs in our template.
Employee Handbook
An employee handbook details what employees need to know regarding HIPAA. It should incorporate relevant details of the other three plans, such as:
Where to meet for a fire or tornado
Password requirements
Importance of confidentiality
Who to report breaches or suspicious of fraud to
Retaliation protection for reporting breaches and fraud
These are only four of the 28 documents GRA Benefits Group provides. Through PHI365, we deliver customized documentation to move you toward HIPAA compliance.
You wouldn’t operate your agency without E&O insurance. Why run your business without HIPAA documents?