6 Ways Clinics Effectively Manage Compliance

NetgainCybersecurity & Compliance, Healthcare IT

While the No.  1 priority of healthcare practices is patient satisfaction, compliance continues to be a significant focus for practices across the nation. Modern Healthcare reports that in 2016, there were 106 major healthcare data breaches attributed to hackers and reported to the federal government. Those breaches exposed 13.5 million individuals’ records.

With providers and patients alike accessing sensitive data over their mobile devices, tablets and home computers, patient data is becoming increasingly vulnerable.

Here are 6 ways clinics effectively manage compliance:

1. Know your vendors and what they have access to
Healthcare practices often partner with other organizations to deliver the full spectrum of care. These partners may have access to your patient’s data, your network or various aspects of your environment.

Implement a vendor management process that identifies who has access to what and for what reason. When a partnership ends, this vendor management process will also make it easier to fully terminate the partner’s access to your data.

2. Identify who is responsible for each aspect of compliance
Sometimes, practices assume their partners are responsible for aspects of security and compliance where they’re not. This leaves gaps in security, which can cause vulnerabilities for ePHI.

For example, while your cloud provider may be responsible for compliance surrounding the delivery of your applications through the cloud, your local workstation and local network compliance is still your practice’s responsibility.

Talk directly with your partners about compliance ownership. What are they in charge of? What is your practice responsible for? Understanding exactly who is responsible for what will protect your practice.

3. Conduct regular risk assessments and follow up
HIPAA’s Security Rule requires practices to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

In addition to simply conducting the assessment, your practice should have a strategy for how to manage the risk that is identified by the assessment.  Will you accept the risk or make necessary changes to remove the risk? Prioritizing risks and identifying their consequences will help your practice make the decision whether to accept or remove the risk.

4. Designate an internal compliance officer
In addition to the Risk Assessment, HIPAA’s Security Rule requires practices to have designated security personnel. This person, or group of people, is responsible for developing and implementing security policies and procedures. This role is typically filled by a HIPAA Security or Privacy Officer who is managed by someone with an overall organization security responsibility. Someone in management needs to have a security management responsibility.

Security personnel should understand the full landscape of compliance including the management of vendors and understanding who has ownership over compliance elements.

5. Get buy-in and pre-approval from your executive team
As with most initiatives, compliance is more effective with trust and buy-in from your executive team. The nature of compliance requires quick response where a long approval process may put the practice at risk.

The designated security personnel should work closely with the executive team to build trust to act in the best-interest of the practice.

During times where addressing risks involves investments, pre-approval based on a priority level or financial investment cap can be an effective way of providing necessary freedom for security personnel. Doing so may mitigate risks and vulnerabilities to patient data and practice security.

6. Establish disaster recovery and business continuity plans
Though disaster recovery and business continuity are often lumped together, they are separate strategies and should be managed as such.

Disaster recovery planning outlines how your practice would get back to regular business operations after being affected by a disaster that prohibited practice operations. Business continuity, on the other hand, refers to how the practice would continue operating through a disaster.

Having a written and executable plan for both disaster recovery and business continuity is vital to ensure your practice can sustain either.

In a climate where there is one healthcare data breach per day, the importance of data security and compliance is at an all-time high.

Lastly, remember that although partnerships may exist between your practice and business associates (your cloud provider, coding partner or billing provider), the ultimate liability and consequence of compliance remains on your practice – the covered entity.