As you prepare the SNF Compliance and Ethics Program work plan for 2020, consider planning a review of the facility HIPAA privacy and security program and take steps to manage risk. Consider these 12 tips to get started:
- Designate a privacy officer, security officer, and/or compliance designee that fulfills the obligations related to ongoing management and monitoring of the privacy and security program in the facility
- Complete a comprehensive risk assessment. The HIPAA security rule requires that covered entities and business associates conduct a risk assessment to ensure compliance with HIPAA’s administrative, physical and technical safeguards. Access a free Security Risk Assessment Tool at https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- Review and update HIPAA privacy and security policies and procedures
- Inventory all devices which store or access PHI or other secure data; consider encryption of devices which meets the NIST Advanced Encryption Standards
- Assess the effectiveness of current anti-virus software, anti-malware software and firewall protections.
- Review staff compliance with regularly installing software updates and security patches
- Ensure job descriptions address HIPAA and the level of access to PHI required to perform specific duties based on staff roles
- Review and update the Privacy Notice and assess your current process: A sample notice is available through the Department of Health and Human Services at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html
- Review and update training related to HIPAA privacy and security. Consider including case study scenarios to practice applying key principles, in lieu of only web-based training. Teach staff how to apply real-life safeguards and address facility-specific procedures for protecting PHI and e-PHI. Maintain training records.
- Review and test facility mitigation procedures and contingency plans with special consideration of how the facility would respond to a cyber attack or security breach. The Office of Civil Rights (OCR) provides a quick response checklist to guide providers in managing an effective response. Other helpful tools are included at this site including a ransomware fact sheet.
- Prepare to respond to a HIPAA audit by reviewing the Office for Civil Rights (OCR) official Audit Protocol
- Develop an audit work plan and conduct audits based on identified risks. You may consider topics such as but not limited to:
- Audit current security safeguards based on the NIST Cybersecurity Framework
- Audit compliance with portable and mobile device use
- Audit compliance with email use and consider a phishing test of staff
- Audit Business Associate Agreements (BAA)
- Conduct penetration testing of the network
- Conduct regular monitoring on the unit (workstation safeguards are implemented per policy, staff communications related to patient care, etc.)
Ongoing compliance with HIPAA requires a continual review of existing threats and responsive risk mitigation. Take steps in 2020 to protect privacy and security with a targeted work plan as part of the facility Compliance and/or QAPI programs.
Contact Proactive to learn more about assistance with developing or implementing your SNF Compliance and Ethics Program