Given the severe consequences of failure to comply with HIPAA standards, it’s imperative that health
care orgs do everything within their power to get their affairs in order, starting with the following:
Be better prepared for eDiscovery requests and HIPAA audits. When it comes to HIPAA audits, it isn’t a
matter of whether you’ll be audited, but when. There are measures you can take, such as thoroughly
documenting HIPAA policies and procedures within your organization, conducting routine risk
assessments and creating in-depth training materials, to prepare for when that day inevitably comes. It’s
also in your best interest to implement a software solution that makes it easier for your legal team to
respond to eDiscovery and litigation requests to streamline the audit process.
Properly maintain — and dispose of — patient data. The key to properly maintaining patient data is to
enforce strict data security standards. The HHS defines these standards under its Security Rule;
requirements include detailed administrative and technical requirements, as well as implementation
specifications and organizational and documentation requirements.
As far as the disposal of patient data is concerned, PHI cannot be disposed of unless the individual
identifying information is removed or destroyed. This is easier said than done in the world of electronic
communications, and the HITECH government mandate complicates things further, so be sure to do your
due diligence prior to disposing of anything.
Maintain an email archive. Email archiving isn’t required under HIPAA’s Security Rule but storing all
electronic communications in a single location can go a long way toward ensuring HIPAA compliance.
That’s because maintaining an email archive makes it easier to screen incoming and outgoing emails,
create custom retention policies, index and search emails, monitor who has access to your organization’s
emails and quickly recover any emails that were accidentally deleted.
Develop a comprehensive HIPAA disaster recovery plan. One of the administrative safeguards outlined
in the HIPAA Security Rule is that health care orgs must have a contingency plan in place, one that
includes a detailed disaster recovery plan.
That plan should consider the following:
- Does the plan address issues specific to my operating environment?
- Is a copy of the plan ready and accessible at more than one location?
- How will operations be conducted in the event of an emergency?
- Which members of my organization will be responsible for carrying out operations in the event of
an emergency? - How will confidential data and safeguards for that data be restored after a disaster?
Even health-related organizations that are diligent about HIPAA compliance make mistakes from time to
time. Don’t let that discourage you — so long as you make a good faith effort to cover all of your bases,
you can provide your patients with peace of mind and rest assured that your business is well-protected.