As well as the technological regulations mentioned above, there are many miscellaneous HIPAA IT compliance requirements that are easy to overlook – for example the facility access rules within the physical safeguards of the Security Rule. These HIPAA IT compliance requirements may inadvertently be discounted if the IT Department has no responsibility for the physical security of its servers, and it will be the HIPAA Security Officer´s role to establish responsibility.
Other areas of the HIPAA IT requirements frequently overlooked include Business Associate Agreements with SaaS providers and hosting companies who may have access to ePHI via the services they provide. The same applies to software developers who build eHealth apps that will transmit PHI. There has to be a Business Associate Agreement in place with any health care provider distributing the app in order to be compliant with the HIPAA IT requirements.
Healthcare organizations are having to deal with a nationwide public health crisis, the likes of which has never been seen. The 2019 Novel Coronavirus (SARS-CoV-2) that causes COVID-19 is forcing healthcare organizations to change normal operating procedures and workflows, reconfigure hospitals to properly segregate patients, open testing centers outside of their usual facilities, work with a host of new providers and vendors, and rapidly expand telehealth services and remote care.
This colossal extra burden makes HIPAA compliance even more difficult, yet even during public health emergencies such as the COVID-19 pandemic, health plans, healthcare providers, healthcare clearinghouses, and business associates and their subcontractors must still comply with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules.
HIPAA Rules have provisions covering healthcare operations during emergencies such as natural disasters and disease pandemics; however, the current COVID-19 nationwide public health emergency has called for the temporary introduction of unprecedented flexibilities with regards to HIPAA compliance.
The HHS’ Office for Civil Rights appreciates that during such difficult times, HIPAA compliance becomes even more of a strain. In order to ensure the flow of essential healthcare information is not impeded by HIPAA regulations, and to help healthcare providers deliver high quality care, OCR has announced that penalties and sanctions for noncompliance with certain provisions of HIPAA Rules will not be imposed on healthcare providers and their business associates for good faith provision of healthcare services during the COVID-19 public health emergency.
Both covered entities and business associates must have the proper safeguards and controls to protect PHI in their organization. Once they’ve put these safeguards in place, they are considered HIPAA Compliant.
Becoming HIPAA Compliant involves complying with both the HIPAA Privacy regulations and the HIPAA Security regulations.
|1||Develop and enforce policies and procedures.|
|2||Appoint or designate a HIPAA Compliance Officer.|
|3||Conduct effective employee and management training.|
|4||Establish effective channels of communication.|
|5||Conduct internal monitoring and auditing.|
|6||Respond to breaches and undertake corrective action.|
|7||Assess policies and procedures and amend as necessary.|