Here is a secret that compliance experts have known for a long time:
It is very difficult to be 100% compliant with HIPAA regulations
Of course, you have probably seen claims like these:
- Buy our product and we will make you HIPAA compliant
- Compliance in a box!
- Be HIPAA compliant in 30 days!
HIPAA compliance is not about a single purchase, it is not about buying a product to be compliant. HIPAA compliance is a process. HIPAA compliance is about understanding where patient information is and figuring out how it should be protected. HIPAA compliance is an ongoing process that ensures an organization is constantly reevaluating how they are protecting patient information and continuing to seek ways to increase or refine the security of patient information.
Have a Good Story
You may be saying to yourself; “oh great this HIPAA stuff is even harder than I thought”. Not to despair!
It is true that being 100% HIPAA compliant, and staying 100% HIPAA compliant is difficult. In some cases it takes years to reach full HIPAA compliance and some organizations never get there. And if you get to 100% compliance all it takes is one employee to violate your policies or procedures and you are no longer 100% compliant. But all is not lost!
If you are concerned about being audited and having to show compliance with HIPAA regulations then make sure you have a good story to tell. Compliance, whether it is with HIPAA, OHSA, PCI, SOX, etc, is about showing that you have taken the federal regulations seriously. Let me be clear, I am not saying you should not strive to be compliant with government regulations, I am saying that audits reveal gaps in compliance. The size of the gap is what really matters.
You may be asking yourself; “what is a good story?” A good story is a response to the question “are you complying with government regulations?” Before we get to a HIPAA good story, let’s look at being pulled over for speeding on a highway.
The question: “Do you know why I pulled you over?”
- Great story: “I don’t, I was going 63 mph and the speed limit is 65 mph, I set my cruise control to make sure that I stayed under the speed limit. I obeyed all traffic regulations and have driven carefully and I really have no idea why you pulled me over”
- Good story: “You pulled me over because I was going 9 miles over the speed limit. Normally I stay within 4 miles of the speed limit and obey traffic regulations but my spouse just called and my daughter was hurt playing soccer and I am rushing to the hospital to see them.”
- No story: “Yes I was speeding”
Each of the above stories may impact the penalty for non-compliance (obeying the speed limit). The Great Story shows that you are in compliance. The Good Story admits that you are not in compliance but demonstrates that you understand the requirements and have taken efforts to comply. The No Story demonstrates that you may be non-compliant but have no defense and have not shown any attempt to be compliant.
Let’s now look at what a good story is with regard to HIPAA compliance. A HIPAA audit is just like being pulled over for speeding. It gives you a chance to show your compliance with HIPAA regulations.
The question: “Have you complied with HIPAA regulations? Show us your HIPAA Risk Assessment, that you have implemented a Risk Management process, that you have HIPAA policies and procedures, that you have trained your employees on HIPAA security, that you have an incident response plan, that you have business associate agreements, that you implemented a disaster recovery plan, etc.”
- Great story: You produce each of the requested items and can demonstrate that you are 100% in compliance with HIPAA regulations
- Good story: You produce your Risk Assessment, you show that you have policies and procedures and have trained your employees. You explain that you plan on addressing disaster recovery in the next 6 months. You show that you have business associate agreements for most but not all of your business associates
- No story: You cannot produce any of the requested items to demonstrate HIPAA compliance.
Once again your story may impact the penalty for non-compliance. No story means that you have simply ignored HIPAA requirements. This is referred to as Willful Neglect. Willful Neglect carries the highest financial penalties (up to $1.5 million). A Good story shows that you have taken HIPAA requirements seriously and that you have made an effort to comply with HIPAA regulations. If you are penalized the financial penalties should not be as high as with Willful Neglect. With a Good story you may not receive any financial penalties. The Great story shows that you are in compliance with HIPAA regulations and you should not receive any financial penalties.
So if you get pulled over (for speeding or HIPAA compliance) make sure you have a good story to tell!
Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your colleagues and Business Associates.
Now it is easy to train your employees on protecting patient information!