Avoid HIPAA Violations and Breaches by Being HIPAA Compliant
As agents, it’s your job to insulate your clients with life, health, auto and many other types of insurance…yet, if you’re like most agencies, you fail to fully insulate your business by not protecting your agency, staff and yourself from government HIPAA fines and violations that can put your agency out of business.
The Importance of Documentation
Documentation is one of the most challenging aspects of HIPAA, yet one of the broadest ways to insure your agency against a breach and fines.
Insurance professionals will most often report having policies, but they are not actually documented. Saying you have a policy…is like saying you’ll think about health insurance but not actually buy a policy.
HIPAA compliance is your insurance policy against breaches from hackers, your employees or theft of your laptops and mobile devices.
Every policy, procedure and process that affects PROTECTED HEATH INFORMATION (PHI) must be documented. This ensures consistency throughout your agency and prepares you for an audit or investigation.
At minimum, you should have the following four Plans documented.
1. Disaster Readiness Plan
The important part of a HIPAA Disaster Readiness Plan is to have a strategy in the event of any disaster to recover all electronic PHI and keep it secure. If a breach happens due to a natural disaster like a tornado for instance, you are still liable for penalties.
Your documented Plan needs the following:
- Recover time objectives – how often backups are performed
- Maximum tolerable downtime – how long your business can be down
- Working recovery time – how long it takes to get everything running
- Primary decision makers and backups – who handles emergency decisions
- Emergency shutdown – procedures for shutting down systems
- Comprehensive plans for different situations, e.g., flood, fire or tornado – including notifications and meeting locations
2. Incident and Breach Plan
This is your course of action for an incident or breach. This plan includes a checklist or notification letter.
The plan should encompass these steps:
- Analyze the incident, retrieve as many details as possible
- Go through HIPAA’s 4 identification factors to determine if it is a breach
- Notify all necessary individuals and companies
- Determine further actions and how to prevent a similar breach from occurring
3. Change Log
HIPAA requires periodic reviews of access and activity. Keeping all this information together provides a clear picture of how everything is working collectively.
A Change Log or Change Document tracks all changes for these areas:
- Servers
- Workstations
- Building security
- Mobile devices
The GRA Benefits Group template includes nearly 20 different logs.
4. Employee Handbook
An employee handbook details what employees need to know regarding HIPAA.
It should incorporate relevant details of the other three plans such as:
- Where to meet for a disaster, like a fire or tornado
- Password requirements
- Importance of confidentiality
- To whom breaches or suspicious fraud are reported
- Retaliation protection for reporting breaches and fraud
These are only four of the 28 documents GRA Benefits Group provides.
Though PHI365, our premium HIPAA Compliance Program, we deliver customized documentation to move you and your agency toward HIPAA compliance.
Are you practicing what you preach?
You wouldn’t think of operating your agency without E&O insurance (you wouldn’t right?), or leaving your family without health insurance. Instead of thinking about it…let the GRA Benefits Group PHI365 help you with the proper HIPAA documentation to insure your agency against a breach…and start preaching!