As you prepare the SNF Compliance and Ethics Program work plan for 2020, consider planning a review of the facility HIPAA privacy and security program and take steps to manage risk. Consider these 12 tips to get started:


  1. Designate a privacy officer, security officer, and/or compliance designee that fulfills the obligations related to ongoing management and monitoring of the privacy and security program in the facility
  2. Complete a comprehensive risk assessment. The HIPAA security rule requires that covered entities and business associates conduct a risk assessment to ensure compliance with HIPAA’s administrative, physical and technical safeguards. Access a free Security Risk Assessment Tool at
  3. Review and update HIPAA privacy and security policies and procedures
  4. Inventory all devices which store or access PHI or other secure data; consider encryption of devices which meets the NIST Advanced Encryption Standards
  5. Assess the effectiveness of current anti-virus software, anti-malware software and firewall protections.
  6. Review staff compliance with regularly installing software updates and security patches
  7. Ensure job descriptions address HIPAA and the level of access to PHI required to perform specific duties based on staff roles
  8. Review and update the Privacy Notice and assess your current process: A sample notice is available through the Department of Health and Human Services at
  9. Review and update training related to HIPAA privacy and security. Consider including case study scenarios to practice applying key principles, in lieu of only web-based training. Teach staff how to apply real-life safeguards and address facility-specific procedures for protecting PHI and e-PHI. Maintain training records.
  10. Review and test facility mitigation procedures and contingency plans with special consideration of how the facility would respond to a cyber attack or security breach. The Office of Civil Rights (OCR) provides a quick response checklist to guide providers in managing an effective response. Other helpful tools are included at this site including a ransomware fact sheet.
  11. Prepare to respond to a HIPAA audit by reviewing the Office for Civil Rights (OCR) official Audit Protocol
  12. Develop an audit work plan and conduct audits based on identified risks. You may consider topics such as but not limited to:
        • Audit current security safeguards based on the NIST Cybersecurity Framework
        • Audit compliance with portable and mobile device use
        • Audit compliance with email use and consider a phishing test of staff
        • Audit Business Associate Agreements (BAA)
        • Conduct penetration testing of the network
        • Conduct regular monitoring on the unit (workstation safeguards are implemented per policy, staff communications related to patient care, etc.)

Ongoing compliance with HIPAA requires a continual review of existing threats and responsive risk mitigation. Take steps in 2020 to protect privacy and security with a targeted work plan as part of the facility Compliance and/or QAPI programs.

Contact Proactive to learn more about assistance with developing or implementing your SNF Compliance and Ethics Program



Blog by Amie Martin, OTR/L, CHC, RAC-CT, Proactive Medical Review

Learn more about Amie and the rest of the Proactive team.