HIPAA Compliance Plan
A HIPAA compliance plan starts life as a framework for using and disclosing Protected Health Information as required or permitted by the HIPAA Privacy Rule, and as a set of safeguards for protecting the confidentiality, integrity, and availability of electronic Protected Health Information as required by the HIPAA Security Rule.
In addition to complying with the Privacy and Security Rules, a HIPAA compliance plan must also take into account the Breach Notification Rule, any applicable General Rules (Part 160), and any applicable Transaction Rules (Part 162) – notwithstanding that some elements of HIPAA compliance may have to be integrated with other federal regulations (i.e. 42 CFR Part 2) or preempted by state regulation with greater privacy protections, increased patient rights, or shorter breach notification periods.
Responsibility for Creating a HIPAA Compliance Plan
The administrative requirements within the HIPAA Security Rule are quite clear about who has responsibility for creating a HIPAA compliance plan. Section §164.530 of the Security Rule states “A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity”.
This not only involves the creation of a HIPAA compliance plan, but making sure that the items within the plan are implemented. The person given the role of “Privacy Official” is also responsible for conducting ongoing risk assessments to identify vulnerabilities and threats to the integrity of Protected Health Information (PHI), and for evaluating solutions to mitigate those vulnerabilities and threats.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
What are the Vulnerabilities and Threats to PHI?
The vulnerabilities and threats to the integrity of PHI will vary according to the nature of an organization´s business, its size and the volume of PHI that is kept and communicated. All HIPAA-covered entities should review the HIPAA Privacy Rule and the HIPAA Security Rule – particularly the administrative, physical and technical requirements of the HIPAA Security Rule.
These requirements contain all the information that a Privacy Official will need to create a HIPAA compliance plan, including the technical safeguards that should be put in place to prevent unauthorized access to PHI. These include the requirement to encrypt PHI, maintain it in a secure environment and monitor access to both the secure environment and the data when it is at rest and in transit.
Potential Issues with Implementing a HIPAA Compliance Plan
Once a HIPAA compliance plan has been developed, it has to be implemented. This can create numerous issues – particularly in a busy medical facility where access to PHI is vital for the running of the medical facility and the treatment of patients. The risk exists that unsecure access to PHI – or the unsecure communication of PHI – could result in an unauthorized disclosure of health data, exposing the medical center to fines and civil legal action.
The issues are amplified when medical professionals use personal mobile devices to access and communicate PHI. Pager messages containing PHI, unencrypted SMS messages and emails should not form any part of a HIPAA compliance plan as they are inherently unsecure channels of communication. Consequently, a Privacy Official has to find and evaluate a solution to overcome these potential issues.
How Secure Messaging Can Provide a Solution
Secure messaging is an appropriate solution to resolve the potential issues with implementing a HIPAA compliance plan. Operating via a secure cloud-based environment, secure messaging works by creating a secure and encrypted communications network for the medical center – or, on a larger scale, for a whole healthcare organization.
Authorized users access the encrypted communications network with secure messaging apps that can be downloaded onto any desktop computer or mobile device. Each authorized user is assigned a unique username and PIN-code in order that their access to PHI is monitored, while safeguards exist to prevent PHI being deliberately or accidently sent outside of the network.
Further Security Measures Prevent Unauthorized Disclosures
Each message that is sent via the secure messaging platform is acknowledged with a delivery notification and by a read receipt once opened and read. This ensures that each message is received by the correct recipient(s) and ensures 100% message accountability. If a message has inadvertently been sent to the wrong recipient, system administrators have the ability to retract it remotely.
To protect the integrity of PHI and assist with the implementation of a HIPAA compliance plan, further security measures ensure that authorized users are automatically logged out of their apps after a period of inactivity, that messages have a “message lifespan” before being removed from a user´s app, and that administrators can remotely PIN-lock the app if a user´s mobile device is lost or stolen.
The Benefits of Secure Messaging
The implementation of a secure messaging solution means that medical professionals and other authorized users retain the speed and convenience of mobile technology without exposing the healthcare organization to the risk of a data breach. Indeed, due to the delivery notification function, secure messaging has often accelerated the communications cycle.
The ability to conduct group messaging has often been seen to foster collaboration, reduce patient admission times and hospital discharge times; and – when integrated with an EMR – secure messaging can reduce patient safety incidents such as the administration of an incorrect medication. As far as a Privacy Official is concerned, a secure messaging solution enables them to implement a HIPAA compliance plan quickly, easily and without draining the resources of an IT department.
