2. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 2
IMPLEMENTING YOUR
HIPAA COMPLIANCE PLAN
A MONTH-BY-MONTH HIPAA COMPLIANCE GUIDE
In this plan, you’ll see an emphasis on two
words: documentation and training. Here’s
why: documentation and training are the two
most important pieces of the entire the Health
Insurance Portability and Accountability Act
(HIPAA) compliance process. Documentation
helps you understand what has been done,
what still needs to be done, and where the
problems are. Documentation is also your
proof in the case of compromise or investi-
gation. Employee training is what keeps your
organization compromise-free.
Both documentation and training should never
be piled into just one day, or one month. If you
only train employees once a year, you’re doing
it wrong. If you try to document your entire
HIPAA compliance plan in December every
year, you’re doing it wrong. Documentation and
training should be an ongoing part of your plan.
Even though 80% of healthcare entities believe
their organization is fully HIPAA compliant,
many are actually missing key compliance
elements with the HIPAA Security Rule.
3. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 3
JANUARY
UNDERSTAND YOUR ORGANIZATION
Before you start anything else on your HIPAA
timeline, the first thing you must do is find where
your protected health information (PHI) is located.
Why? Only by finding PHI, will you know how to
protect it. This is the first step to creating that
very important HIPAA Risk Analysis required
by the Department of Health and Human Ser-
vices (HHS). To find your data, you have to learn
every single process it goes through, every
computer it sits on, every person who touches
it, and every technology that has access to it.
YOUR JOB THIS MONTH?
BECOME THE EXPERT ON
ALL THINGS PHI.
The people on the ground handling this data
on a daily basis will give you the most accu-
rate look into the different data lifecycles
in your organization. Start your new year by
interviewing every department that touches
PHI in any way, including third parties. Talk to
different people within each department. They
can uncover processes and technologies that
no organization chart, tool, or previous data
analysis could expose.
By the time you’re done with your extensive
interview process, here are some things you
should be able to identify:
• How data enters your environment
• Where it goes after entering the
environment
• Where it’s stored
• If it’s sent off to a third party
• If it’s printed and stored
• If it’s recorded straight into the Electronic
Health Record (EHR) system
• Workforce members who can extract PHI
from the EHR system
• How employees store PHI after they
download it from the EHR system
• If it’s encrypted
It doesn’t matter what healthcare organization
you work for; you will discover hundreds of
data paths.
4. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 4
Throughout the month, ensure you
understand how technology and personnel
affect PHI. Record every computer, medical
device connected to the Internet, office
computer workstation, doctor tablet,
and employee BYOD smartphone.
Document what you’ve learned; be as
detailed as possible. Draw pictures, make
lists, and record the who, what, when,
where, how, and why. Documentation should
rule your world for three main reasons:
1. Your future. If you document, you’re
making next year’s job that much easier.
2. Your legacy. Documentation will
give future successors a great
view into the environment.
3. The HHS. If the HHS comes knocking,
documentation is your get-out-of-jail-free
card. If you can show them how you’re
working toward full HIPAA compliance,
they’ll be much more lenient.
5. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 5
FEBRUARY
CREATE AND DOCUMENT A FLOW CHART
What have you learned in the past month? To process the information you
learned and organize it in a way that will make sense in the future, craft a PHI
flow chart.
A PHI flow chart is a graphical representation of where PHI comes into your
organization, where it hangs out, who can access it, and where it leaves the
organization. Most flow charts look like the typical box and arrow format, but
feel free to get creative.
FLOW CHARTS ARE OFTEN MASSIVE.
HEALTHCARE IS PROBABLY THE MOST
INTERCONNECTED INDUSTRY IN THE WORLD.
Patients fill out forms at hospitals, which pass patient records to doctors’ offic-
es, which then transfer medical records to pharmacies. Patients add sensitive
information to third party patient portals online, which then email a dentist
receptionist, who then prints and stores it in a giant file cabinet.
This interconnectedness is great for patients but an absolute nightmare for
security. Generally, the more places that have access to patient information, the
higher the chances for a HIPAA compromise or data breach. And that’s why PHI
flow charts are so important. They document every instance within your own
environment where PHI could enter, exist, or exit. This flow chart will assist you
during the rest of this year’s HIPAA compliance plan.
6. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 6
MARCH
START REGULAR EMPLOYEE TRAINING
Now that you’ve got the patient data location
part under your belt, it’s time to take a quick
break and organize your plan for employee
training.
Your employees are the lifeblood of your
organization. They can also be a security risk.
Most HIPAA breaches and security issues
within healthcare originate at an employee
level. That’s why annual or even quarterly
trainings aren’t enough.
Make a plan for how often you’ll train employ-
ees and which methods you use. Each organi-
zation will run employee trainings differently
depending on their workforce, but here are some
questions to ask during your planning phase:
• Will each department lecture their
employees every two weeks on a
certain topic?
• Will each employee be required to take
an online training course each month?
• Who will be in charge of ensuring
employees complete trainings?
• Will you send out data security emails to
supplement trainings?
• Will you require all new hires to pass a
test before employment?
• What punishments will exist for
employees who refuse to attend training?
• Will you require employees’ signatures
for training sessions?
• Will you provide incentives to those
with the highest scores or who have
completed training?
Documentation is a very important part of
employee training. If the HHS comes knocking,
you should be able to tell them the date each
workforce member last underwent train-
ing, what that training was about, what past
training they’ve had, and the next time they’ll
undergo training.
7. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 7
APRIL
TEST YOUR EMPLOYEES
The best way to analyze the effectiveness of your security training program
is through employee testing. When incidents happen, how will employees
respond? Was last month’s training effective?
This idea of testing employees is becoming very popular in the healthcare
sector. Here are two common ways you can test employees:
Social engineering: Hire an ethical social engineer to see if employees will
question or report someone who doesn’t belong in their work environment.
Have the social engineer dress in a maintenance uniform, walk into a secured
area, and attempt to steal PHI. What do your employees do?
Phishing: Send staff a fake phishing email (created by your IT team), and track
the number of opens to see how many fall for it. Recently, an Indiana University
study found that 15% of staff members click on phishing emails.
After analyzing the experiments’ results, make a plan for the future. How will
you adjust trainings going forward to ensure employees understand what to
do in these situations? As always, don’t forget to document how tests were
conducted, who participated, the results, and your future plans to mitigate
these failures.
The results from your tests will also give you some great statistics to present
to a budget-conscious board of directors who need a little nudging when it
comes to security.
8. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 8
MAY
LOCATE PROBLEM AREAS
With your intimate knowledge of systems,
technologies, and processes (from January
and February), locate the risks, threats, and
vulnerabilities that currently exist in your
organization.
• What vulnerabilities exist in your
systems, applications, processes,
or people?
• What threats (internal, external,
environmental, and physical) exist for
each of those vulnerabilities?
• What is the probability of each threat
triggering a specific vulnerability?
Even if you created a comprehensive PHI flow
chart and feel you understand exactly what’s
going on at your organization, you probably
need someone well-versed in IT data security
and HIPAA compliance to help you analyze
your vulnerabilities.
A MAJOR COMPONENT OF THE
REQUIRED RISK ANALYSIS IS TO
LOCATE WHERE YOUR ORGANI-
ZATION’S SECURITY FAILS.
By examining vulnerabilities, threats, and
risks, you’ll be able to narrow down which
problems must be addressed right away.
• Do you use the cloud? What are the
implications there?
• How are physical copies of PHI stored?
• Is encryption implemented throughout
the entire organization?
• Do third parties use two-factor
authentication when using remote access
into your environment?
• When employees leave workstations,
do they turn on a password-protected
screensaver?
Capture each vulnerability, and record its po-
tential impact, risk level, and when you found it.
Do yourself a favor and run vulnerability scans
to identify more weaknesses in your organiza-
tion’s network and systems, or contract with
ethical hackers to conduct a penetration test
to see where holes exist in your environment.
If you’ve documented everything up until this
point, you’ve created your HIPAA Risk Analysis.
9. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 9
JUNE
CREATE A RISK MANAGEMENT PLAN
Now that you’ve created a giant list of problems, you’ve got to plan out how
you’ll deal with them. Spend June crafting a thorough Risk Management Plan.
Your plan should document:
• Each HIPAA rule: It’s easiest to organize a Risk Management Plan the
same way HIPAA is outlined. Line item each HIPAA rule, and work from
there. That way, you won’t miss anything important.
• Your plan: Next to each HIPAA rule, detail your organization’s plans to
comply with each rule. This portion should outline the detailed action plan
for your risks.
• Risk level: Each vulnerability discovered from your Risk Analysis should be
noted in the corresponding HIPAA rule, and given a risk level (high, medium,
low).
• Date completed: Including a date completed section is helpful for both
HHS documentation and your own records.
• Completed by: This is great for practices where two or more people
(such as a doctor and office manager) are working to complete a Risk
Management Plan together.
• Notes section: It’s helpful to include a comments section next to each
requirement, including what policy is associated with the requirement; this
helps you stay organized for years to come.
Creating this plan from scratch will likely take you the entire month (or longer),
and should be a joint effort among directors, IT, security administrators, etc.
10. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 10
JULY
START FIXING YOUR PROBLEMS
Now, you have one giant list of HIPAA compliance to do’s. Instead of feeling
relieved that you’ve created a Risk Management Plan, you might feel over-
whelmed. After all, you haven’t even started fixing any of your problems yet.
You’ve just been researching and documenting.
Don’t get overwhelmed. Instead, prioritize.
IT’S NOT ABOUT FINDING TIME. IT’S ABOUT
MAXIMIZING THE LITTLE TIME YOU HAVE.
As you prioritize, ask yourself:
• What are the most important parts of your Risk Management Plan?
• Which vulnerabilities are most likely to be exploited this year?
• Where are our highest threats?
HIPAA compliance doesn’t have to be unmanageable. Break it up into manage-
able pieces. Start with small changes, such as designating a privacy and securi-
ty officer, updating your systems, or training employees.
Pick the top five problems at your organization and tackle those first. Make an
action plan for the next five problems. Pretty soon, you’ll be on your way to
total HIPAA compliance.
11. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 11
AUGUST
CREATE AN INCIDENT RESPONSE PLAN
A lot of healthcare organizations have an Inci-
dent Response Plan . . . but it’s been collecting
dust on a shelf for five years. It’s time to pull
it out, blow off the dust, and update it. Your
systems, processes, and personnel change
constantly. New possible incidents arise every
year that your employees might not be pre-
pared to deal with.
When creating your plan, use the information
gleaned from your Risk Analysis and Risk
Management Plan to create realistic example
situations.
STAFF MUST BE TRAINED
REGULARLY ON THIS PLAN
TO EFFECTIVELY EXECUTE IT.
Here are some questions to ask yourself when
you create your Incident Response Plan:
• What types of security precautions are
in place?
• What is the protocol if an employee
suspects a data breach?
• Internally and externally, who should be
notified if an incident occurs?
• Do employees know their responsibilities
before, during, and after an incident?
• What if a co-location or business
associate is involved in the incident?
12. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 12
SEPTEMBER
TEST YOUR INCIDENT RESPONSE PLAN
Through comprehensive testing, you’ll be able to answer the real question that
matters: Does your Incident Response Plan actually work?
Why do fire drills exist? If people already know where to go and what to do
when the fire alarm goes off, they don’t think. They just act. The same principle
applies to testing your incident response plan.
By testing, you see how employees work together, what kinds of decisions they
make in stressful conditions, and how fast they resolve issues. You’ll see if they
follow the plan, follow policies, or just wing it.
When crafting tests, pay attention to the situations most likely to arise in your
organization, and test your employees on those circumstances. Document fail-
ures and successes during your test, and use the results to adjust the incident
response plan or training as needed.
13. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 13
OCTOBER
GET BUSINESS ASSOCIATES ON BOARD
It doesn’t matter what type of organization you
are: third parties impact your security. Some-
times third parties do a stellar job at security.
Other times, they fail miserably. That’s why
you must be hyper-vigilant with every third
party that could impact the security of your
patient data.
Healthcare entities often believe their busi-
ness associate agreements cover them in case
of a breach. Unfortunately, that’s not accurate.
HIPAA Omnibus ruling states that even if
a business associate has never signed a
Business Associate Agreement (BAA), they
may still be held liable. This also means
the covered entity carries liability as well.
Specifically, the HIPAA Final Omnibus Rule re-
quires covered entities to implement or update
a BAA for all relationships wherein the busi-
ness associate creates, receives, maintains, or
transmits electronic patient information.
It’s common for third party vendors to not ful-
ly realize they are part of HIPAA regulations,
as they may not actually view healthcare
data. That’s why this month is a good time to
educate your third party vendors, and deter-
mine the risk they pose to you and your data.
If they are unwilling to sign a BAA, it may be
advisable to seek out vendors that will treat
your data more securely and are contractually
willing to protect it.
14. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 14
NOVEMBER
UPDATE POLICIES
If you’re like 90% of healthcare organizations out there, you already have organi-
zational policies. But they probably haven’t been reviewed or updated in years. Or
perhaps you have policies, but they haven’t been properly documented.
TO MAINTAIN HIPAA COMPLIANCE, UPDATE
YOUR CURRENT POLICY AND PROCEDURE
DOCUMENTATION, AND ENSURE EMPLOYEES
ARE APPROPRIATELY TRAINED.
The HHS takes written policies very seriously. At the end of 2013, Adult & Pe-
diatric Dermatology, P.C. was fined $150,000 by the HHS for not having breach
notification policies.
Policies define what and how your organization protects PHI. They should
provide guidelines on what workforce members can and can’t do. A policy is
basically a security framework for your employees. Here are the policies you
should implement at your organization.
BREACH NOTIFICATION POLICIES
Your policy should include documentation of:
• Members and contact information of your breach response team
• State and federal breach response laws
• Who to notify in case of a breach (e.g., stakeholders, the HHS, law
enforcement, patients, and the public)
• Response timelines
15. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 15
SECURITY POLICIES
A few examples of good security policies to include in your business plan include:
• Firewall configuration standards
• Job descriptions
• Network time protocol (NTP) configuration procedures
• Physical security procedures
• Security awareness training procedures
• Workstation functions
PRIVACY POLICIES
A few examples of good privacy policies to include in your business plan include:
• Accounting of disclosures of PHI
• Patient access to PHI
• Authorization for release of PHI
• Minimum necessary for uses and disclosures of PHI
• Emailing PHI
• Safeguarding and storing PHI
• Destruction of PHI
Remember, a policy is only as good as its enforcement. Don’t let your policies sit
on a shelf! Train your employees on company policies, or all that policy writing
will have been for nothing. Review policies on a regular basis to ensure they are
updated with system, personnel, and technology changes.
16. IMPLEMENTING YOUR HIPAA COMPLIANCE PLAN | 16
DECEMBER
ASSESS YOUR PROCESS
HIPAA shouldn’t necessarily be an annual process; it should be
an ongoing process. You should do a deep dive and reanalyze
your HIPAA compliance plan every year.
Assess where you are, and how far you’ve come. Set HIPAA
goals and milestones for next year. Plan out employee trainings
based on risks and vulnerabilities you found during your risk
assessment this year.
As always, don’t forget to document your plans for next year!