Close this search box.
How to Ensure HIPAA Policies and Procedures Are Effective and Enforceable

How to Ensure HIPAA Policies and Procedures Are Effective and Enforceable

LinkedIn Live Discussion Highlights

All stakeholders (payers, providers, and software developers) who use, record, access, or store patient data have a duty to protect the privacy, security, and integrity of that protected health information. HIPAA compliance is a critical step toward ensuring sensitive data is secure. During a recent LinkedIn Live discussion, Samuel Hinson, Business Unit Leader of Compliance and Cybersecurity Services and Bob Bryan, Senior Director of Advisory Services both from Drummond Group explored the development and implementation of enforceable policies and procedures needed for organizations to meet and maintain HIPAA compliance while also avoiding the erosion of patient trust, reputational damage, or financial penalties. Below are some of the key points from the conversation.

Challenges When Building Processes

One of the main challenges organizations face when trying to comply with HIPAA security rules is the lack of alignment between policies and practices. In some cases, organizations may have established practices without corresponding policies, or vice versa. This misalignment can lead to issues where compliance and security fall out of sync with expectations, and there is no enforceability or accountability. To address this, it is crucial to have policies that make sense across the entire organization, are customized to meet the needs of specific environments and regions and are aligned to business objectives. Sam stated that it’s common for companies to have different regional procedures based on distinct business solutions or processes, but any regional-specific polices should always also support the company’s primary policies. 

It is essential that policies be supported by senior management to provide comprehensive input and a solid foundation for the organization’s security practices. Even if sound security practices are in place, they could collapse if not backed up by enforceable policies.  

Regular policy and procedure reviews and testing are essential to maintaining compliance. When Sam was asked how testing should be incorporated into the compliance plan, he provided the following actionable steps:  

  1. Ensure you fully understand all related policies.
  2. Build your procedures and processes to support those policies.
  3. Test to identify vulnerabilities.
  4. Remediate any of the gaps and vulnerabilities identified during testing.
  5. Test and remediate again on an annual basis 

With the emergence of new technologies, organizations must adapt their policies and practices to meet evolving regulatory changes. At the end of last year, EHR providers rolled out their first FHIR API to support the (g)(10) criterion. And now, with (b)(10) approaching, providers need to have policies and processes in place to enable things like third-party smart app connections to the (g)(10) API and access to (b)(10) bulk data exports. When considering the impact of the (g)(10) criterion as well as what types of testing should be done, such as penetration testing on a brand-new API, preparation of policy-compliant operational practices is critical. 

Common Gaps

Sam and Bob closed out the discussion by reviewing some common gaps in HIPAA policies and practices, such as 

  • incomplete documentation 
  • lack of organizational customization 
  • inadequate enforcement 
  • use of generic templates 
  • lack of accountability 

In conclusion, developing and implementing enforceable HIPAA policies and procedures is crucial for organizations in the healthcare industry. By aligning policies with practices, obtaining senior management buy-in, conducting regular reviews, and addressing common gaps, organizations can enhance their compliance efforts and information security practices. Staying up to date with industry developments and emerging technologies is essential to ensure ongoing compliance with HIPAA regulations. 

If you want to learn from the experts and stay current with interoperability and security standards testing, certification, and compliance requirements—then you won’t want to miss Drummond Group’s upcoming LinkedIn Live events. 

Don’t miss out on the action! Follow the Drummond Group Company Page on LinkedIn and be the first to know about all our live-stream events. You’ll not only gain valuable insights from our expert speakers, but you’ll also have the opportunity to ask questions and engage with other industry professionals. 

Are you ready to start your compliance journey?

Download Drummond's Guide to Integration Review of E-Prescription Module

Please fill out the form below to download the guide.

[gravityform id="66" title="false" description="false" ajax="true"]

Drummond's guide to EPCS Recertification

Please fill out the form below to download the guide.

[gravityform id="65" title="false" description="false" ajax="true"]

Drummond's guide to Initial EPCS Certification

Please fill out the form below to download the guide.

[gravityform id="64" title="false" description="false" ajax="true"]