Although the HHS´ Office for Civil Rights provides various tools to assist with HIPAA compliance, due to their non-explicit and technology-neutral nature they are not always suitable for Covered Entities and Business Associates who have to seek training and compliance products from third-party providers.
Many of the HIPAA products offered by thirty-party providers can be very good. Others, though, are not so good, and will not help a business become HIPAA compliant. Indeed, some could result in businesses believing they are HIPAA compliant while significant weaknesses exist in their policies and procedures.
For this reason, we have compiled a list of features that should appear in any HIPAA product or service being marketed as a HIPAA compliancy aid. The list is not exhaustive as it would be impractical to cover every possible scenario. However, the key points are:
Help with Risk Assessments and Risk Analyses
Risk assessments and risk analyses are the backbone of HIPAA. Businesses should not only know what factors to consider in a risk assessment, but also how to chronicle the results of a risk analysis and prioritize the measures needed to be implemented to prevent the unauthorized disclosure of PHI.
The Development of Policies and Procedures
Larger organizations will have departments experienced with developing and enforcing policies and procedures. Smaller organizations may not have the same depth of knowledge and will have to rely on the expertise of a training consultant to ensure their policies are reasonable and appropriate.
The Provision of Training
The provision of training is required by HIPAA. Its purpose is so that every employee understands why measures are being taken to protect the confidentiality of PHI. Therefore the provision of training should be ongoing the objective of the HIPAA training is achieved.
Business Associate Management
It is essential that – if you share PHI with Business Associates – they are also HIPAA compliant. Specialist HIPAA consulting services should be able to advise you on the best way to conduct due diligence on your Business Associates and prepare appropriate Business Associate Agreements.
Audit Support and Breach Support
Many training and compliance products from third-party providers offer audit and breach advice, but when an audit or breach occurs, what will really be important to you is support. By dealing with experienced specialists, your business will be better prepared for a HIPAA audit and better able to cope with a breach of PHI after it has occurred.