The last week of December often finds people reflecting on everything that happened in the prior year. But we prefer to use this week to think about the year to come. Indeed, there’s no better way to get your new year off on the right foot than to plan for it before the new year starts!

One area that’s always deserving of more attention (at the start of a new year or otherwise) is HIPAA compliance. We continue to see more enforcement actions from the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR), with steep penalties and stern warnings. Apparently, past enforcement actions haven’t been enough to convince covered entities that they need to get their HIPAA ships in order; in one recent action, OCR found “widespread noncompliance” with HIPAA.

Once OCR starts an investigation, it doesn’t limit itself to the specific allegation that triggered the investigation; it will look at the organization’s entire HIPAA universe. That means a covered entity needs to be HIPAA-compliant from top to bottom.

HIPAA compliance starts with putting the appropriate policy manuals and business associate agreements in place. Then employees have to be trained in HIPAA compliance. Next, a security risk assessment is crucial; OCR considers the security risk analysis fundamental to compliance with the security rule. Finally, there’s the “real work” of implementing and complying with all those HIPAA policies on a daily basis.

If that sounds like a lot to think about, call us; we can help you make sure you have the right HIPAA compliance plan in place for 2016.