The US Department of Health and Human Services (HHS), reports there were more than 600 healthcare data breaches last year. More than 40,000 personal records were either exposed or stolen.
There are federal laws that require a healthcare provider to safeguard a patient’s private information. Does your medical practice have effective HIPAA compliance measures in place?
Consider this HIPAA compliance checklist for healthcare, and you’ll know if you’re on the right track.
What Does HIPAA Stand For?
HIPAA is the abbreviation for the Health Insurance Portability and Accountability Act.
These are federal laws that control how a patient’s medical data is stored and used.
HIPAA also provides requirements on how medical personnel should use and disclose protected health information (PHI.) HIPAA updates medical record transfers and protects them from theft or fraud.
What is Protected Health Information?
Protected health information (PHI) is the data that can personally identify clients or patients.
Examples of this information include addresses, social security numbers, names, and phone numbers. PHI also includes credit card information and a facial photo as well.
Electronic PHI that’s accessed, viewed, or sent falls under these HIPAA guidelines. Electronic information is called electronically protected health information (ePHI.)
Who Complies With HIPAA?
HIPAA applies to two different kinds of organizations. These organizations are called a covered entity or a business associate. These organizations are further described below:
A covered entity is an organization that creates, collects, or sends ePHI records. A covered entity directly interacts with a patient. Examples of a covered entity include medical professionals like doctors or therapists.
HIPAA medical compliance also applies to any business that transmits a patient’s health records in any form. These records might be transmitted as a referral to another healthcare provider. They’re regularly sent to an insurance company for payment.
A HIPAA business associate doesn’t see a patient. Instead, a business associate creates, receives, or sends the patient ePHI. A business associate can range from a professional shredding company to an accountant. Medical billing companies are also business associates.
Subsections of HIPAA
HHS drafted the statutes that protect private patient health records. HIPAA contains the following subsections:
HIPAA’s Security Rule includes all standards for securely sending and managing patient ePHI. The Security Rule covers all technical, administrative, and physical protection of a patient’s ePHI.
HIPAA’s Privacy Rule summarizes a patient’s right to see their own ePHI. This rule also summarizes a healthcare provider’s right to view a patient’s ePHI as well as the right to refuse someone’s access to the information. The Privacy Rule also summarizes what release forms an organization must use to be consistent with the rule.
Breach Notification Rule
HIPAA’s Breach Notification Rule summarizes national standards to follow when data breaches expose patient records. HIPAA requires companies to report all data breaches, regardless of their scope or size. The procedures required for reporting these breaches will depend on the type of disruption.
HIPAA Compliance Checklist
Is your practice at risk of penalties for HIPAA violations? If you’re not sure, you should act immediately.
Take this checklist for HIPAA compliance. Use it to protect your client’s ePHI in the administrative, physical, and technical areas of your practice. Feel free to add further protections as your compliance program comes together
Create Administrative Protections
Administrative protection addresses the behaviors of your staff. These are the team members who view, distribute, or process ePHI.
You can’t inspect staff’s every move. So implement administrative protections. They’ll help you watch how they handle ePHI by carefully programming information systems.
Examples of these protections include keeping records on any saved, privileged users’ actions. Direct your administrative team to look over these records and let you know when one of the users makes a modification. Hang on to this information for six months to a year.
You should also record and monitor all security-related events. These events should include access rights changes, connection failures, or system failures. Keep these records for six months or longer as well.
Control Physical Protection
Physical protection ranges from protecting office equipment to their physical office locations. These protections should help protect confidential records from physical intrusion. They should also protect them from natural hazards.
Be sure your office’s computerized equipment contains devices that limit ePHI access. This access should be for only authorized users.
This equipment and any servers that you use should have malware protection software installed and updated on a regular basis. Train your staff to create, revise, and store any ePHI on equipment that meets these security requirements.
Any computer monitors should be located in areas throughout your office in a way so that any unauthorized person can’t read them. Remind your staff to log-off, lock or secure their desktop equipment before they leave it unattended.
If your staff uses mobile devices (tablets, laptops, smartphones), be sure that no ePHI is stored on these devices. Direct your team not to store ePHI on removable storage devices such as USB drives or discs.
Apply Technical Protections
Technical protections help control and guard access to information. Protections can range from data encryption to standards for web hosting. You can use a different server to handle specific tasks like web hosting or data storage.
Use enterprise web hosting solutions that give you the necessary tools. These tools should help separate access permissions and support patient privacy.
Use cloud case management software to manage patient billing. Get NDIS CRM software to manage claims and invoices. Any documents or images you have uploaded by patients should be in encrypted forms.
Configure any servers with different permissions and encryption keys. Telemedicine sessions should be transmitted over a decoded stream. Schedule a regular security assessment to prevent any thefts of patient data or other cyber threats.
What’s Your Next Step?
If you’re ready to implement HIPAA compliance for your practice, you should start today. Follow our HIPAA compliance checklist. Meet with your team to create your plan for compliance going forward.
Don’t forget to check out our website for more helpful advice. We’re here to help your private practice reach its highest potential.