HIPAA – Demonstrating compliance with the HIPAA Privacy and Security Rules can be an overwhelming challenge for business associates and covered entities. Let KirkpatrickPrice be your guide down the road to HIPAA compliance with this free video series. Presented by HIPAA Compliance Specialists, this series aims to answer all your questions on how you can prepare for a potential HIPAA audit from the OCR.
You’ve done all the hard work to complete a HIPAA audit…then you receive your HIPAA compliance report. It’s a little confusing, we know. This week on the blog, we’re outlining the four main components of a HIPAA compliance report: scope of engagement, executive summary, assessment method, and assessment of security safeguards. Understanding these components can help your organization use your HIPAA compliance report to provide stakeholders or outside parties with an independent third-party verification that all access controls to ePHI stored on your systems are in compliance with HIPAA requirements.
The HIPAA Security Rule requires that business associates and covered entities have physical safeguards and controls in place to protect electronic Protected Health Information (ePHI). These safeguards provide a set of rules and guidelines that focus solely on the physical access to ePHI.
One of the HIPAA Security Rule requirements is that covered entities and business associates have administrative controls in place. Once you have completed your HIPAA risk analysis, you should have a good idea of what administrative controls are appropriate for your organization to protect ePHI. Having administrative safeguards in place is important for both the prevention and mitigation of a data breach.
The HIPAA risk analysis is the starting point for any HIPAA audit, and the most important component for achieving and maintaining HIPAA compliance. If risk analysis is such a critical part of HIPAA compliance, why is it the number one finding by the Office for Civil Rights (OCR)? Unfortunately, this means that a lot of business associates and covered entities, who are required to comply with HIPAA laws, just aren’t completing a HIPAA risk analysis.
If you are just beginning to learn about HIPAA, you may be wondering, “Who must be HIPAA Compliant?” Up until 2009, the answer was simple: Covered Entities. But when the Health Information Technology for Economic and Clinical Health (HITECH) Act passed, it expanded the oversight of the Office for Civil Rights (OCR) to Business Associates. The HITECH Act was passed in 2009 to promote the adoption and meaningful use of health information technology (HIT).