By Deborah A. Cmielewski, Esq.

As we embark upon the new year (and approach the third year of the COVID-19 pandemic), it is important for parties subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to update their compliance plans. Covered entities and business associates are required to review and update their HIPAA compliance plans on a regular basis. Among the crucial items warranting attention include updating policies and procedures; administering security awareness and training programs; and performing the vitally important risk analysis.

Risk Analysis

The HIPAA rules require covered entities and business associates to assess the risks and vulnerabilities to the confidentiality, integrity and availability of the electronic protected health information (“ePHI”) within their custody and control on a thorough and accurate basis. It is good practice to perform a risk analysis annually, as well as following any major changes in the organization that could have an effect on ePHI (i.e., implementation of a new electronic health record system; major software revision/update; etc.). Think of the risk analysis as an annual check-up, which brings to the forefront deficiencies, areas needing improvement and items to focus on throughout the course of the year. Like the annual check-up, though, the risk analysis tends to become the least desirable item on the “to do” list.

In years past, the task of performing a risk analysis was more daunting and often required parties to engage outside consultants, often at a hefty price tag, to complete the exercise. Not surprisingly, the vast majority of the HIPAA settlements entered into by the U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) include penalties for failing to perform and/or to update the risk analysis. The Office of the National Coordinator for Health Information Technology (“ONC”) worked together with the OCR to design a downloadable Security Risk Assessment Tool (“SRA Tool”), to enable small to medium-sized covered entities and business associates to perform their own risk analyses. Initially rolled out in 2016, the ONC and OCR released an updated (and more user-friendly) version of the SRA Tool in 2018. Given the accessibility to the SRA Tool, the OCR has little tolerance for parties subject to HIPAA to ignore this key element of the compliance plan.

Training

The HIPAA rules also mandate that covered entities and business associates implement a security awareness and training program for the entire workforce, including those performing managerial functions. Training should occur at the commencement of employment or engagement and should be repeated on an annual basis and as-needed following implementation of new processes or procedures involving ePHI or following an incident, such as a data breach or near miss. It is time to put the annual training on the calendar to keep your workforce refreshed on HIPAA basics and educated about how you intend to operate as we approach the third pandemic year. 

Policies and Procedures

HIPAA requires covered entities and business associates to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and requirements set forth in the rules. Policies and procedures must be set forth in writing; made available to the workforce; and reviewed and updated in response to environmental or operational changes affecting the security of ePHI. Have you updated your policies and procedures since the start of the pandemic? Do they accurately reflect how you are doing business now and include any changes that you have implemented throughout the course of the pandemic? Put the policies and procedure review on your checklist of important priorities sooner rather than later.

As we (hopefully) move toward a resolution of the pandemic, now is the time to take stock of your HIPAA compliance plan in a meaningful fashion. An outdated HIPAA compliance plan is a breeding ground for problems and the potential for significant economic consequences in the event of a data breach or an audit. Now is the time to schedule your annual HIPAA check-up. 

For more information, contact Deborah A. Cmielewski at dac@spsk.com or at (973) 540-7327.