02.06.2024

Why your organization needs a HIPAA Privacy Assessment

By J’NON GRIFFIN
RN, MHA, HCS-D, HCS-H, HCS-C, HCS-O, COS-C
Sr. Vice President of Compliance & Coding

You’ve done your homework, appointed a HIPAA Privacy Officer, ensured regular HIPAA training takes place, reviewed and re-reviewed the Code of Federal Regulations and all the HIPAA privacy, security and administrative data standards set out by the Office of Civil Rights (OCR.)

But how would your organization’s policies hold up under the scrutiny of a HIPAA audit?

Do your policies align with current best practices for the protection of PHI? When was the last time you updated? Have you documented changes, including all training provided to affected staff? Have you retained that documentation for at least six years from the date the document was created or the date it was last in effect, whichever is later?

The truth is, most healthcare organizations struggle a bit with keeping their policies up to date. In fact, the Office of Civil Rights (OCR) reports that the reason most covered entities and business associates fail their HIPAA audits is because they did not have in place the appropriately updated policies and procedures to protect PHI.

HIPAA privacy risks are evolving.

At SimiTree, our certified healthcare experts work with providers across all healthcare settings to ensure compliance – and we know that HIPAA compliance is one of the areas where many organizations can feel some degree of unwarranted confidence.

Organizational leaders often assume HIPAA compliance is taken care of in the training sessions they see in the budget every year.  After all, we’ve had the Health Insurance Portability and Accountability Act (HIPAA) since 1966. It has been decades since the U.S. Department of Health and Human Services (HHS) first set out national standards relating to the privacy and security of health information.

But compliance officers charged with staying on top of things know better. Compliance is constantly changing. Risks associated with the protection of health information are rapidly evolving, especially in the area of technology, and guidance for compliance changes along with the ongoing evolution. It's important for providers to stay abreast of changes, provide necessary staff training, and make needed changes to agency policies and procedures.

Business associates, subcontractors, and vendors must be considered as well. When things change, updates are required.

It's also important for the governing board and management at your organization to be able to demonstrate appropriate understanding and oversight of HIPAA privacy risk mitigation.

Mistakes in these areas and others can prove costly, with sanctions, civil monetary penalties – even criminal penalties, when warranted.     

What is a HIPAA privacy assessment?

Healthcare providers receiving reimbursement from claims presented to federal programs are required to analyze potential risks and vulnerabilities.  Section 164.308(a)(1)(ii)(A) of the Security Rule requires organizations to complete an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information held by the organization.

In addition, the U.S. Department of Health and Human Services and Office of Civil Rights (OCR) sets certain standards to guide covered entities and businesses in full HIPAA Privacy and Security compliance. These standards address administrative, physical and technical safeguards and responsibilities.   

SimiTree offers a HIPAA privacy assessment to help organizations determine how well they are meeting these standards.

 The assessment consists of a structured review of the agency's current state related to HIPAA privacy and security , including the confidentiality and  integrity of non-electronic as well as electronic PHI, patient access rights to PHI, Business Associate Agreements, and other important information.

A HIPAA Privacy Assessment can help your organization identify potential issues ranging from which data needs to be backed up – and how – to which of your personnel screening processes may need an update.

It’s a unique assessment.

You won’t find a one-size fits all template online for a HIPAA Privacy Assessment because each one must be tailored to your organization.

Because healthcare providers are so different, the Security Rule is designed to be flexible and scalable. Each entity will need to implement its own policies, procedures, and security protocols that are individually appropriate. Our assessments include development of a unique risk management plan that addresses unique vulnerabilities and pinpoints new procedures and policies that are right for your organization.  

Having a knowledgeable firm like SimiTree step in to thoroughly evaluate your organization’s HIPAA privacy compliance can pay big dividends, especially when putting together a sound risk management plan. SimiTree’s compliance experts have the knowledge and expertise to assist organizations in developing and maintaining a dynamic privacy program.  Because we see the interconnected nature of HIPAA privacy, compliance, regulatory and quality goals, we can lead your organization to successfully minimize risk and improve performance.

Want more information about how a HIPAA Privacy Assessment can help your organization? Reach out to us today to learn more.  Insert Link

Next week: What your organization needs to know about the new SDoH assessment

Make sure you’re subscribed.

It's more important than ever to stay abreast of compliance issues in 2024 — and I don’t want you to miss any of my new Weekly Compliance Reports. Be sure to add your name to the subscription list.

Why not invite the compliance officers you know to sign up as well?


Have a compliance question?
SimiTree’s certified healthcare experts can help! Our team is made up of former auditors and surveyors from across healthcare settings. We have the know-how and the experience to help your organization mitigate risk. Reach out to us today with all your compliance needs.

J’non Griffin serves as Senior Vice President for the Compliance as well as Coding divisions at SimiTree. With a healthcare career that spans three decades, she has a track record of helping many provider types implement effective compliance programs. She has worked with organizations nationwide  to develop compliant emergency preparedness and operation plans, implement fully compliant plans of care, and meet regulatory demands. As an AHIMA ambassador, Griffin was instrumental in preparing the coding community for the launch of ICD-10.