webinarsbreadcrumb separatorhipaa-ecommerce-guidelines-and-resources-part-10-how-to-start-hipaa

Chris Reddick and Ron Halversen of Clarity Ventures talk about the easiest steps to take to become HIPAA compliant.

Part 10 of a 13-part series (Return to Part 9)

RON: I wanted to ask you one question before we move on to the HIPAA Breach Rule. Back here on the enforcement rule history...do our listeners have to go through every one of these software change notices where they're just deltas, or is this a rewrite update? It looks like the most updated version is from 2013. Can we just jump into the 2013, read that, and have a fairly good understanding of what the most recent enforcement rule looks like? 

CHRIS: I would say you would need all of them. But the other thing that I would note is, those are really detailed legal documents, and anyone is welcome and encouraged if you want to read them, read them. But the OCR has put this resource together to make a rule book for it on the official HIPAA website

If you want to really make sure that you're complying with that. The biggest thing that you're seeing here is this idea of proactivity, constantly being on the latest industry HIPAA best practices for security, making sure that you're responding immediately to privacy and data requests, making sure that you're respecting people's privacy and minimum use, access, safeguards, etc. Those are the things that you want to really pour your energy into. 
 
A lot of that you get with the SRA, the security risk assessment. Going through a lot of the compliance auditing, using tools that can help you stay organized around that. There are free tools from NIST and from the OCR that can help you do that. But there are also great third parties. We talk about Accountable HQ all the time. They're not the only one that does it, but they're a great partner that can help you with your HIPAA compliance and your documentation and auditing.  

what is hipaa

CHRIS: If I were to pour energy in first, if I hadn't done anything else, I would pour it into working with someone like Accountable HQ or with the NIST or OCR/HHS-based sorry tools, security risk assessment, and just overall HIPAA compliance auditing tools. That would be where I would put all of my time, in training my staff, reducing access, and documenting that I'm doing all of those things. That is really the meat and potatoes of this and what you see in all of these compliance resolutions. 
 
RON: Two things where I would put my time—from the white papers I've written literally in the last two weeks—is work with a partner like Clarity, someone who can help evaluate your software. You saw all of the resolutions and what the problems were in, the audits. The first thing was the access, right? [Access] was issue number one for the last five years. So have someone like Clarity evaluate your software, evaluate your tools, do an audit, make sure your tools are protecting and providing the ability to do that.  

The second one, you see the name here, HITECH. There's a HITECH blueprint for your security infrastructure. And that's the second thing that I would do. So like Chris said, pour yourself into the tools, do the audit. At the same time, figure out if your software allowing for the protection and the control over that access to the ePHI.  

I know we talked about that in the in the earlier rule when we were talking about the privacy rule back when we said the x-ray technician could go in and upload an x-ray to my record, but that x-ray technician shouldn't be able to go into my record and see that Ron has type-2 diabetes or anything else that's not in their purview. They don't have a right to that. So if you just give them admin access so that they can go in and take an x-ray and have access to upload that to my record, and then they go see something else that's of interest and then share that information, that's where that access rule is.  

The people in the office and the rest within your practice need to have very scoped access to the HIPAA data that is only applicable to what they provide, when they provide it. Sometimes it's not as much as—well, they do that all the time, so they have access to that. “But they haven't seen that patient, that person hasn't been a patient forever. They shouldn't still have access to those records."  

Continue to Part 11 to learn about the HIPAA Breach Notification Rule.

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps