Get HIPAA Compliant in 30 minutes or less!

Home

undefined

Blogs

undefinedHIPAA Demystified

HIPAA Demystified

Raj Tiwari

Raj Tiwari

October 1, 2024

10 minutes

read

Table of contents

Example H2

Purpose

Why write this document? There are plenty of sources of information regarding HIPAA online, including authoritative ones. At ComplianceBot, we believe that people looking for information on HIPAA are drowning in it. The guidance is confusing, contradictory, presented from various perspectives, not necessarily aligned with the needs of a business. 

This article presents HIPAA for a technology business looking to balance the needs of patient data protection with the business needs of growth and scale.

Why is HIPAA Confusing?

HIPAA (Health Insurance Portability and Accountability Act)  is different from other compliance programs. If your organization touches protected health information (PHI), you are subject to HIPAA - it’s mandatory. There is no third party audit or official certificate for HIPAA. You have to understand HIPAA, interpret it for your organization and make sure a regulator agrees with you in the event of an external audit. This uncertainty adds to the confusion and frustration around implementing an effective compliance program. 

Striking a Balance

Business operators want to balance doing the right thing with survival, growth and scale of the business. The confusion with HIPAA leads to suboptimal outcomes, ranging from an analysis paralysis resulting in inaction to very onerous implementations that result in high cost and complex processes that are out of proportion with the size and scale of the organization.

The Right Approach to HIPAA

At ComplianceBot we take a pragmatic approach to HIPAA that balances the needs of patient confidentiality, regulatory compliance and business priorities.

Assess Needs, Focus on Specific CFRs

It is best to begin with assessing the organization’s posture with HIPAA. Aggressively filter out items from the code of federal regulations (CFRs) regarding HIPAA that do not apply to the organization. For example, significant numbers of HIPAA CFRs do not apply to business associates. 

As another example, if an organization supports remote work and restricts PHI to the cloud-only, several CFRs related to physical and environment security no longer apply, or are greatly simplified.

Create Roles and Responsibilities

HIPAA calls out certain roles with corresponding responsibilities. In many cases, one person might fulfill multiple roles. It helps to create a separate role and responsibilities document that matches people to their roles. This simple bit of refactoring allows your documentation to be uncluttered. It also protects it from going out of date as people move in, out or around the organization.

Create Tight Policy Statements

Policy statements are critical. They formalize what an organization is committing to doing in response to the HIPAA CFRs. It is best to create straightforward policy statements that directly address each CFR point by point. The language should be very direct and address the requirements of the CFR. For example,

164.308(a)(3)(ii)(A) - Authorization and Supervision for workforce members

It is the Organization’s policy to: 1. Formulate, implement, and regularly review procedures for the authorization and supervision of workforce members who work with electronic protected health information (ePHI) or in locations where ePHI might potentially be accessed …

Create Actionable Procedures

Procedure statements tell your workforce (and auditors) precisely how your organization plans to implement the commitments in the policy statements. Critical elements of an effective procedure statement are:

  • Who: Which roles or teams will execute the procedure
  • How: How exactly will the procedure be done
  • When: At what time will the procedure be done: Recurring (what frequency?) or as needed (what will trigger it?)

Having procedures crisply articulated in this way lets your team actually execute them. Not only does this make your organization more secure, it also presents well in the event of audits.

Ensure your Team Knows it

HIPAA requires organization’s management to officially sign-off on the policy and procedure document set and adopt it. HIPAA also requires that your workforce has read and acknowledged these documents. Keeping an audit trail of authoring, approval, dissemination and acknowledgement is a key piece of evidence of your HIPAA program.

Actually do the Work

Your HIPAA document set represents a commitment by your organization to operate in a certain manner. The reason to craft your documentation in the manner described above is that it makes it clear what your obligations are and how to go about meeting them. The next step is to run your processes on the schedule and triggers documented by you. This can seem daunting at first. However, procedures in HIPAA are common sense best practices for organizations that will add to the security posture and the maturity of your organization.

A Solution that Incorporates Best Practices

ComplianceBot incorporates these practices from the very first step. The AI guides you through program creation that lets you focus on the HIPAA CFRs that apply to your business. It continues the process by using AI to generate custom fit policy and procedure text that is built for your organization and is clear to your team responsible for implementing them.

ComplianceBot goes further and helps you operationalize your program by automating the obligations in your documentation. 

To learn more about ComplianceBot, try it for free, or contact us for a demo.

Share this post