Let’s talk about one of the greatest military mistakes of all time.
The year was 260 BC. The Chinese states of Qin and Zhao were at war. Zhao pushed hard against the Qin army in an attempt to end a three-year siege of the fortress of Shangdang. Outnumbered, the Qin army retreated.
Victory for the Zhao army, right? Not quite.
The general of the Zhao army, the aptly-named Zhao Kuo, was eager to end not just the siege, but the war, as well. When his enemy retreated, he believed he saw an opportunity. With little thought given to planning or provisions, he pursued. In his aggression, his troops advanced quickly—too quickly for the supply train to keep pace.
The Qin calvary pulled off a massive ambush, completely obliterating Zhao’s supplies. Without food or provisions, Zhao Kuo was forced to retreat to Shangdang. 46 days later, he died trying to lead his men out of Shangdang. The rest of his army was captured and executed.
The Zhao managed to turn a clear victory into a crippling loss, all because they lacked the foresight to attend to critical details.
HIPAA Compliance—One of Those Critical Details
If HIPAA regulations apply to your business, you most likely already understand how important compliance is. After all, a single HIPAA violation can cost your company as little as $100 or as much as $1.5 million. This is an area where you can’t afford to be lax.
And yet, a surprising number of companies understand the importance of regulatory compliance . . . without actually doing what needs to be done to avoid violations. And that’s not necessarily because SMBs don’t take compliance seriously. Consider this:
The fact that regulations change on a regular basis doesn’t help, either. 47% of companies cite the ever-changing nature of compliance rules as the single biggest challenge to remaining compliant.
But there’s good news, too. There are things you can do, even on a limited budget, to keep your organization compliant. Consider the following tips your crash course in HIPAA compliance.
These are the basics. If you’re new to compliance, the following tips will get you going. And if you’re a HIPAA compliance pro, it never hurts to brush up on the fundamentals.
Determine where you are.
If you have no idea where to begin, we can tell you—risk assessment. Study up on the HIPAA regulations that apply to you, and then dig into your current policies, software and cybersecurity to see how you measure up.
Don’t freak out if you find some holes. Just make note of them so you can address them as you move through the rest of these steps.
Build off of your baseline.
Taking what you learned from your risk assessment, do what you can today to deal with any significant lapses. Many HIPAA regulations can be handled quickly with simple policy changes. If there’s low-hanging fruit, close those gaps.
All those notes you have on the HIPAA regulations that apply to your organization and your internal policies to address them? You need to write those down. Create a thorough record that everyone in your organization can easily access. You’ll use this to maintain compliance and as a benchmark for future risk assessments.
Speaking of maintaining HIPAA compliance . . .
Managing the Beast
Now that you’ve got the basics covered, let’s dig into some of the more complex aspects of HIPAA compliance. This is how you remain compliant (and avoid those costly fines).
Keep yourself in the know.
As we mentioned above, HIPAA regulations change frequently. Sometimes the changes are little more than minor tweaks, and sometimes (as in the case of the more recently added HITECH rules) the changes are more dramatic.
Industry-specific publications, trade associations and training sessions are all good resources for making sure you’re aware of any changes that affect your organization.
Get really serious about cybersecurity.
In 2016, more than 16 million patient records were exposed due to cybersecurity breaches. You can’t really deal with HIPAA compliance without also staying on top of cybersecurity.
Network security is its own topic, and there’s a lot of ground to cover to keep your company safe from the scheming ways of cyber criminals. Make sure you have a solid plan in place for cybersecurity.
Be careful about where you keep things.
Like cybersecurity, data storage is a significant concern. HIPAA compliance includes regulations for where and how sensitive information can be stored. What seems easy, budget-friendly or convenient may or may not be compliant.
Don’t assume your data storage solutions fit the bill. Make sure.
Close the right doors.
The Equifax breach of 2017 taught us a lot about the importance of cybersecurity. One of the pivotal lessons was this: security depends on privacy, and privacy depends on security.
Don’t just give every employee access to sensitive information. Know who really needs access, and limit access as much as possible. If your receptionist doesn’t have a business need to access the drive where private, HIPAA-protected records are stored, don’t give him access!
Mind the gap.
Dovetailing off the idea of limiting access, think long and hard about your BYOD policy.
BYOD stands for “bring your own device.” It applies to devices like personal smartphones, tablets and laptops. If employees connect their own devices to your network, you need a BYOD policy. And if HIPAA compliance applies to you, that policy needs to take into account what kinds of data employees can access with their own hardware—devices you have no control over.
When it’s gone, make sure it’s gone.
Deleting a file doesn’t really mean it’s gone. Often, there are traces of it in all sorts of places—on the server, on personal hard drives or on mobile devices.
When it’s time to delete HIPAA-protected records, make sure the records are fully and completely deleted. This is especially true when retiring or repurposing old hardware.
Plan for the worst.
After you’ve checked off everything else on this list, decide what you’ll do if you missed something. This should be a part of your backup and disaster recovery (BDR) plan and serves several purposes.
If there’s a breach, you’ll want to minimize data loss. If there are fines associated with HIPAA violations, you’ll want to minimize those, too. And finally, your reputation as a company could take a hit. A BDR plan can lessen that blow, as well.
We have one final tip. But before we get to it, we’d like to preface it. The above suggestions will go a long way to protecting your organization and helping you manage the considerable chore of
HIPAA compliance. We’re proud to offer solid, helpful advice with no strings attached.
Even if you stop reading at the end of this sentence, we hope you’ll put the rest of our advice to good use.
That said, the easiest and most effective thing you can do to deal with HIPAA compliance is enlist the help of a professional consultant. HIPAA regulations are unwieldy, complicated and complex. What’s more, aligning your tech solutions with HIPAA rules is a huge challenge.
Professional compliance consultants take that burden off of your shoulders.
You get the benefit of HIPAA compliance without the headache of jumping through all the hoops, yourself. We would be delighted to help out, but whether or not you give us a call, we recommend calling someone who does this stuff for a living. Given the stakes, professional consultation is well worth the expense.