top of page

5 Things You Must Know About HIPAA Laws in 2023

Admin

Keeping compliant with HIPAA law can be a challenge for organizations in the healthcare field. Ensure your organization is compliant with the latest changes by learning about what's new with HIPAA laws and regulations in this guide.


Learn how to navigate the new HIPAA "Safe Harbor" provision

The new HIPAA “Safe Harbor” provision could reduce or eliminate fines, end audits early, and more. While it's not strictly speaking a "safe harbor," per se, this provision has substantial benefits for Covered Entities that put it to use. In order to qualify, Covered Entities need to implement the NIST-CSF or HICP standards in their organization. This provision applies to organizations subject to the Health Insurance Portability and Accountability Act (HIPAA), such as healthcare providers, organizations that create, receive or transmit electronic protected health information. Organizations should take steps to update their policies and procedures to ensure compliance with this provision.


Understand HIPAA Internal Audit Procedure Requirements

Organizations must have in place a process to review security events and verify that the proper auditing controls are in place. The audit procedure should include a process for detecting and reporting suspicious activity, malicious software, potential security breaches, and improper use of systems. Additionally, it should provide documentation of users accessing or using confidential information with their corresponding activities. Organizations must maintain detailed logs of all audit processes used for 6 years.


Familiarize Yourself with Business Associate Agreement Obligations

HIPAA’s latest regulations stipulate that business associates must comply with the law to the same extent as Covered Entities. Covered Entities must have a business associate agreement in place with each Business Associate they have a relationship with. The BA agreement must contain specific language. It's incumbent upon the CE to ensure their BAs are compliant, and the CE must obtain satisfactory assurances that the BA is compliant. Failure to have BA agreements in place could lead to significant fines.


Renew Your Organization’s Risk Assessments

In order to stay compliant with HIPAA’s latest regulations, organizations must assess their existing security protocols and update them as needed. This includes evaluating vulnerabilities in their systems and conducting a periodic Security Risk Analysis. SRAs should cover the entire organization, including its data, physical and logical security, data flows, connections to third-party vendors, and much more. Additionally, organizations should evaluate the security methodologies they currently have in place and make any necessary adjustments that will help ensure privacy and security of PHI.


Dispose of PHI properly or get fined

Organizations that fail to properly dispose of electronic and physical PHI may be subject to fines, sanctions, and other penalties. The HIPAA Privacy and Security Rules require that organizations implement disposal processes that protect patient privacy by destroying PHI beyond the point of being readable or reconstructed. Any entity found disposing of PHI improperly can experience reputational damage as well as hefty fines. Therefore, when it comes to disposing of PHI, the organization is responsible for selecting an appropriate disposal method (i.e. shredding paper records, clearing digital files) and must closely monitor any third-party vendors performing disposal activities on their behalf.




17 views
bottom of page