HIPAA Compliance, Certification, and Best Practices for Schools and Universities

Schools, universities and other institutions of higher education must be compliant with HIPAA as they often store and transmit large amounts of highly sensitive consumer healthcare information – specifically – Protected Health Information (PHI). With data breaches at an all-time high and no end in sight – securing PHI and other forms of sensitive data is now more important than ever. What’s more, because schools and universities are complex organizations layered with various levels of operational, security – and bureaucratic – challenges, the mandates for becoming HIPAA compliant are often difficult indeed. From developing essential documentation to implementing security tools and software, HIPAA “can” be challenging and costly, but it doesn’t have to be, so long as you have a solid understanding of important facts regarding compliance of schools and universities.

Flat Iron Technologies, LLC, is North America’s leading provider of HIPAA Security & Privacy Compliance Toolkits (HSPCT) to schools, universities, and other institutions of higher education. When it comes to saving thousands of dollars on HIPAA compliance, or toolkits are the answer, so visit hipaapoliciesandprocedures.com to learn more today.

8 Things Schools and Universities Need to Know About HIPAA

1. Start with a Deep Dive Discovery: That’s right, it’s time to dig in and take a deep dive into HIPAA for determining something very important: Where do you as a school or university store HIPAA and healthcare related data? More specifically, where do you store PHI and do you also send and transmit PHI for any reason? Get the answers to these questions and you’re off to a great start regarding HIPAA compliance. Call it want you want – a fact-finding mission, a HIPAA hunt, whatever – you need to be able to confidently identify and document all locations (both hard-copy and digital records) of PHI. You’ll be surprised just how much you’ll learn not only about the location of PHI, but the controls – or lack thereof – put in place for securing such PHI.

Where to begin? Simple, build a spreadsheet and start documenting all locations of PHI, then begin visiting all departments and interviewing personnel as needed for final confirmation. You can also use our HIPAA Security Rule Readiness Assessment Checklist and our HIPAA Privacy Rule Readiness Assessment Checklist for assisting with your HIPAA fact-finding mission. After all, you can’t protect what you don’t know you have, so a HIPAA deep dive is absolutely critical for identifying all instances of PHI, both in electronic format and hard-copy documents.

2. Move on to a Scoping & Readiness Assessment: Successfully identified where all instances of PHI reside in your environment, both hard-copy and electronic format? Great, it’s now time to really dig in and determine what gaps, deficiencies, and other areas of remediation require immediate attention for becoming HIPAA compliant. As stated earlier, our HIPAA Security Rule Readiness Assessment Checklist and our HIPAA Privacy Rule Readiness Assessment Checklist documents are a great way for determining your current posture on HIPAA. You’ll essentially want to be able to answer the “who, what, when, where and why” regarding HIPAA compliance, and that’s exactly what a scoping & readiness assessment does, when performed correctly.

3. Remediate Security Controls: HIPAA was written many years ago - the mid 1990’s to be exact – which means the language used to describe information security controls is somewhat antiquated, and that’s putting it lightly. Because of this, schools and universities will need to map the existing HIPAA Security Rule mandates to today’s information security best practices currently in place, as this ultimately determines what gaps and deficiencies still exist. Do you use encryption? Do you have a documented and formalized contingency plan in place? How about an incident response plan? Do you have all the necessary Privacy Rule provisions in place? Many questions for which schools and universities need many answers to regarding HIPAA compliance, so use our HIPAA Security & Privacy Compliance Toolkits (HSPCT) today as they include both a HIPAA Security Rule and Privacy Rule checklists & readiness assessments documents.

4. Develop Critical HIPAA Documentation: A large – and growing – component of complying with any of today’s complex and burdensome regulatory compliance mandates is developing a healthy amount of information security policies and procedures, along with other supporting documentation. In fact, the amount of policy material that needs to be in place for HIPAA compliance for schools and universities is absolutely staggering. What’s worse, most institutions of higher education simply don’t have the resources or money to spend hundreds of hours authoring policies and procedures, or hiring an expert consultant to author such material. The sensible solution is to source high-quality, professionally developed HIPAA policies and procedures, such as our HIPAA Security & Privacy Compliance Toolkits (HSPCT), available for download at hipaapoliciesandprocedures.com.

If you do have existing policies and procedures in place – then great – but just make sure they can be effectively mapped back to the actual HIPAA standards (i.e., HIPAA Security Rule, Privacy Rule, Breach Notification, etc.), and that they are current, accurate, and truly reflective of your control environment. It can take a tremendous amount of time to develop HIPAA policies and procedures for schools and universities, thus be very mindful of this important element of compliance. One last thing: policies are just that, words written on paper that mean nothing if they’re not enforced and the relevant procedures are not followed. With schools and universities storing massive amounts of PHI, the need for well-written HIPAA policies and procedures is incredibly important.

5. Implement Security Awareness Training: Regardless what type of healthcare entity you are – a Covered Entity (CE), Business Associate (BA), or some other type of designated health and wellness organization – security awareness training is a must for schools and universities. The problem is most online training modules are either quite expensive or not great quality. You need material that’s cost-effective, incredibly well-written, factual and current, and that’s what we offer with our HIPAA security awareness training materials that can be purchased individually, or included within the HIPAA Security & Privacy Compliance Toolkits (HSPCT). Training and educating employees (i.e., workforce members) is one of the very best investments you can make as an institute of higher education.

6. Perform a Risk Assessment: HIPAA compliance also means performing an annual risk assessment for schools and universities, a process that sometimes can be incredibly lengthy and arduous, it just depends on the type of risk platform you’re using. What’s important to note about HIPAA risk assessments is you need to make the risk assessment process work for you, something that’s commensurate to your needs and goals. Sounds easy enough, but many schools and universities get stuck using complex, high-priced risk assessment software that often provides less than meaningful feedback. Making the risk assessment process work for you means using essentially any type of process that yields measurable results back to the business. Maybe it’s a simple spreadsheet or perhaps an internally developed process that identifies risks in certain departments. Point is, it doesn’t have to be expensive software or high-priced consultants.

The risk assessment material contained within the HIPAA Security & Privacy Compliance Toolkits (HSPCT) that’s available for instant download at hipaapoliciesandprocedures.com is comprehensive, easy-to-use, highly beneficial, ultimately providing necessary insight into one’s internal controls. Schools and universities can purchase the HIPAA risk assessment documents separately, or as part of any number of the HIPAA Security & Privacy Compliance Toolkits (HSPCT) offered for sale. Visit hipaapoliciesandprocedures.com today to learn more.

7. Monitor all Relevant Third-Party Providers of Services: We live in a world where every business seems to outsource some type of service or function – and that’s fine – so long as you have controls in place for ensuring such providers take information security seriously. More specifically, do you have any third-party entities for which you share PHI with, if so, what measures are in place by such entities for helping protect PHI? Also, what annual due-diligence activities do you as a school or university perform on these third-party providers? You’re only as strong as your weakest link, and third-party providers with poor internal controls are often that very weak link. Our HIPAA Security & Privacy Compliance Toolkits (HSPCT) offered for instant download at hipaapoliciesandprocedures.com comes complete with a third-party monitoring packet that’s comprehensive and easy-to-use.

8. Engage in Continuous Monitoring of Internal Controls: Your internal controls need to be constantly assessed, changed, and enhanced and necessary for ensuring they are functioning as designed – a concept known as “Continuous Monitoring”. Becoming HIPAA compliant is one milestone – and a big one indeed – yet the ability to continuously monitor one’s control environment on a regular basis is the bigger goal, one that can be quite challenging.

Achieve Rapid HIPAA Compliance with our Award Winning Toolkits

We’ve all heard the misery and nightmarish stories about complying with what’s arguably the most comprehensive, challenging, and time-consuming healthcare law found in North America – HIPAA. Do you have to spend hundreds of hours and thousands of dollars developing essential HIPAA policies and procedures for both the Security Rule and Privacy Rule – absolutely not – especially when using the HIPAA Security & Privacy Compliance Toolkit (HSPCT) – Schools & Universities Edition – the most comprehensive set of Health Insurance Portability and Accountability Act (HIPAA) documents found anywhere in North America today.

Sure, you can spend an enormous amount of money on high-priced HIPAA policy writers and consultants – but why – the HIPAA Security & Privacy Compliance Toolkit (HSPCT) – Schools & Universities Edition – is comprehensive, well-written, easy-to-use, and provides all the necessary documents for helping Covered Entities (CE) and Business Associates (BE) in meeting demanding HIPAA regulations. You’ve got a business to run, so run it, and leave the compliance documentation development needs to the experts at Flat Iron Technologies, LLC. Visit hipaapoliciesandprocedures.com to learn more today.

Remember, heavy fines are being handed out for non-compliance with HIPAA. Don’t become the next victim of a data breach because of weak internal controls – get serious about compliance and information security once and for all – we can help schools and universities with HIPAA compliance, so visit hipaapoliciesandprocedures.com today.