Manage and Mitigate Risks
Implement Your Action Plan
Your action plan should address all five HIPAA security components. Follow your action plan and support ongoing efforts to identify, assess, and manage risks.
Prevent Breaches by Educating and Training Your Workforce
All of your workforce members — employees, volunteers, trainees, and contractors — need education and training to know how to safeguard patient information. Your training program should prepare them to carry out your HIPAA-related policies and procedures. Reinforce training with reminders. Above all, lead by example.
Communicate with Patients
A multi-pronged communications plan will help you address patient concerns about EHRs and privacy.
- Inform patients that you place a priority on maintaining the security and confidentiality of their health information.
- Address patients’ health information rights.
- Educate patients on how their health information is used and how it may be shared outside your practice.
- Follow your policies and procedures in notifying affected patients and caregivers when a breach of unsecured PHI occurs.
Update Your BA Contracts
Update all your Business Associate (BA) agreements to comply with the HIPAA Privacy, Security, and Breach Notification Rules. OCR offers sample BA contract provisions.