Is your HIPAA compliance checklist for 2021 ready? The Healthcare Insurance Portability and Accountability Act (HIPAA) plays a critical role in healthcare organizations, and the end of the year is an excellent time to take a comprehensive look at your organization’s best practices and plan for the future with a HIPAA compliance checklist for a New Year. Although the regulations have been around for over 24 years, they are often subject to updates. This year, in particular, brought substantial changes to the rules.
Now is an excellent time to take stock and ensure your organization is following the most up-to-date procedures. As you compile your HIPAA compliance checklist for 2021, take a look at the following updates and tips to help you best prepare.
What should be on your HIPAA compliance checklist for 2021?
To make sure your organization is implementing guidelines correctly, you can follow these steps.
- Conduct a HIPAA risk assessment that will point out vulnerabilities in your organization’s handling of Protected Health Information (PHI). The evaluation should be a complete look at how you handle PHI, including email, data storage, encryptions, possible threats, and the likelihood of a data leak.
- Create policies for remote work and telehealth visits. The increase in virtual doctor visits requires your organization to keep up with the regulations and educate your employees on the requirements.
- With the information from your risk assessment, create a new plan, and implement your new procedures. This should include employee training and education.
- Document every step and document it well. If you are subject to an audit from the Office of Civil Rights (OCR), you will be required to turn over all of your documentation. The government will usually take into account evidence of a good-faith effort.
In addition, Health and Human Services (HHS) have laid out a guidance for the fundamentals necessary for a HIPAA-compliant program. They are as follows:
- Administer written policies for standards of conduct.
- Appoint a compliance officer and compliance committee.
- Train and educate employees.
- Allow open communication with staff.
- Perform self-audits.
- Communicate to staff the disciplinary consequences of failing to follow the rules.
- Immediately respond to transgressions and make corrections.
Were HIPAA rules relaxed this year?
The pandemic brought many changes to the healthcare industry, including a relaxing of some of the HIPAA laws intended for patient privacy. Notice that a temporary modification of the HIPAA rule is not the same as a permanent update and/or modification. When a public health emergency is declared, HHS has the right to waive penalties for non-compliance with certain HIPAA rules.
In February 2020, the Office for Civil Rights (OCR) released information for sharing patient information during public health emergencies. Keep these updates in mind while preparing your HIPAA compliance checklist 2021:
- PHI can be communicated without patient authorization to manage patient care and referrals.
- Healthcare organizations need to alert public health authorities of infected patients. They can share PHI with the Centers for Disease Control (CDC) and state and local health departments without patient authorization.
- Healthcare professionals must make judgments as to when the disclosure of PHI is necessary for public health safety.
Another change from the OCR came in response to the increased need for providers to create a virtual health strategy for the safety of patients and staff. The OCR relaxed its privacy rules related to telehealth by stating that it will not enforce penalties when organizations commit noncompliance in “good faith” use of audio or video products for virtual doctor’s visits. They refer to healthcare providers’ use of certain applications for video chats, such as Facebook Messenger, Google Hangouts, Skype, Zoom, and Apple FaceTime. They do not allow for the use of Twitch, TikTok, or Facebook Live.
Various updates are subject to further modification or may revert to the original regulations after the public health emergency has ended.
The OCR does, however, encourage providers to engage in a business associate agreement with their video chat vendors. They provide a list of vendors found here, which are HIPAA-compliant. Note that they do require patient consent, and the documentation of that consent before a virtual doctor’s visit begins.
Community-based testing sites are another area where the OCR has relaxed HIPAA rules. They will not enforce penalties in instances of “good faith participation” of mobile, walk-up, and drive-through testing sites.
The importance of following HIPAA regulations
Covered entities AND business associates are subject to HIPAA rules. Business associates are entities or individuals that engage in business with the covered entity. Organizations that fall under these categories include healthcare providers, health insurance companies, and healthcare clearinghouses.
HIPAA protects patient information and ensures that patients have easy access to their own information. Failure to comply with HIPAA regulations can involve lengthy investigations, stiff penalties, and ongoing government monitoring.
The benefits of a third-party consultant
Is your HIPAA compliance checklist for 2021 ready for the new year? Now is the perfect time to get your organization prepared.
Ignorance of HIPAA rules is no excuse for noncompliance. Pleading ignorance of the rules will not get you out of an investigation by the OCR. You must understand the rules and how they affect your organization, including the many updates that have been made due to the recent public health crisis.
A third-party consultant can come into your organization and conduct a HIPAA risk assessment. A risk analysis will identify what you are doing right as well as areas that need improvement. Having an outside party conduct your assessment provides an objective review by a team of professionals. HIPAA regulations are complex, and it is useful to have highly experienced individuals conducting assessments and implementing new plans.