What’s the MOST important HIPAA compliance step?
The one you’ll actually do.
It’s a bit of a silly answer, but it’s also true. Some compliance work is better than no compliance work, and don’t let the details bog you down in such a way that they keep you from moving forward. That said, I’ll give you a few concrete recommendations, too. :^)
Everyone I’ve talked to in this field (from attorneys to security experts) recommends slightly different priorities, but some of the most often cited priorities include:
- Creating a culture that values HIPAA compliance
- Completing a risk assessment
- Create and follow procedures that protect PHI (i.e., locking files, turning off the computer, etc.)
- Get appropriate/useful training
- Using encryption and/or moving client files to a cloud-based practice management system
- Updating basic security protections like software patches and virus/malware programs.
- Obtaining BAAs (less for the documentation, more for the reassurance that any entity you permit to access to your clients’ PHI will handle it appropriately.)
Is there more? Absolutely. But if you haven’t done the items listed above, work on those items before you spend too much time worrying about the intricate details of things like whether emailed credit card receipts are beyond the “basic financial transactions” exclusion and therefore noncompliant without a BAA. But either way, remember the importance of taking the next right step.