The Health Insurance Portability and Accountability Act – HIPAA of 1996 defines the standards used to protect the PHI – personal health information – of individuals. All health information, such as health records, medical bills, lab results, and patient histories, are examples of PHI if a covered entity is in the picture.
Covered entities include a healthcare clearinghouse, health plan, or healthcare provider. All these will likely create, receive, store, maintain, or use this type of health information.
Even though this rule has been law since 1996, many companies still need to develop a more robust strategy to ensure HIPPA compliance. Some tips to help ensure a business is HIPPA compliant can be found here.
Knowing what steps to take is essential to ensure compliance now and in the future. Also, remember, this isn’t a set-it-and-forget-it process. Regular adjustments and training will be needed to remain compliant.
Select a Security and Privacy Officer
For smaller practices, the Security and Privacy Officer can be the same individual. For a larger company or practice, the duties will likely be split between two people.
These are the individuals who will spearhead the compliance plan. If there isn’t someone designated for this role, you are considered non-compliant. This person or people will be in charge of creating and maintaining a HIPAA certification guide for the business.
Choose this individual carefully. In many cases, people are the weakest link when it comes to ensuring compliance.
Conduct a Risk Assessment
During this step, you must review your electronic devices and workplace to assess the possible vulnerabilities and risks to the integrity, confidentiality, and the availability of the ePHI that is held by the business associate or covered entity.
Risk assessments extend to the accessibility of the ePHI, such as the passwords, but to threats to your access to the ePHI that is caused by natural risks such as tornadoes and hurricanes. It also applies to human risks, like malicious hacking.
It is possible to perform this assessment in-house or hire an outside contractor to handle this on your behalf. If you want to handle the assessment on your own, there are risk assessment tools that can be used.
The first option (handling the assessment in-house) is the more affordable, and the second one may be more expensive. You can also use a combination of these two.
The key here is to remain detailed and identify where the security and privacy issues may lie. This will include listing all mobile and computing devices, where your paper files are stored, and how you will secure the offices when closed.
It is important to note that this isn’t a one-time event. Things will change as technology and risks evolve.
It is important to revisit the risk assessment anytime there is a theft, change in software or hardware, or breach. If these issues don’t arise, then conduct this assessment every two to three years.
Most businesses will use contractors or vendors to run the business or practice. According to HIPAA, entities or persons outside of the workplace who use or have access to the patients’ PHI or ePHI while performing service on your behalf are referred to as “business associates.”
With this status, there are specific considerations that must be made in the privacy equation. Some of the most common examples of Business Associates include cloud storage companies, third party billing agents, web hosts, IT vendors, laboratories, attorneys, email encryption companies, and more.
The list can get long. However, you need to document all of these Business Associates in your risk assessment.
Be sure to audit all Business Associates before accepting any signed agreement from them. Many people sign the agreements and have no clue what they have actually agreed to.
Auditing means that you take a look at the compliance plan the business associate has in place. They must have one, or you aren’t allowed to conduct business with them.
Your attorney should have an agreement that you can use, or you can use a HIPAA third-party agreement from a compliance company.
Once the risk assessment, privacy, and security policies and procedures, and business associates have been gathered, you may think everything is good to go. This isn’t the case.
In many situations, your employees are your weakest link.
It is necessary to invest in annual training for your employees based on the HIPAA rule. During this training, you must communicate information about the privacy and security policies and procedures you have created.
After all, what good is the work you have done for a compliance plan if no one knows about it or how to use it? Make sure your employees are trained on the HIPAA law and the specific plan you have created. You must also maintain records of this training.
HIPAA Compliance: Is Your Business Compliant?
When it comes to HIPAA compliance, there are many things to consider. Be sure to keep the information and steps here in mind to ensure that you don’t break the rules and that you remain compliant.
When it comes to business operations, there are many things you have to think about each day. Remaining compliant is just one of these things.
If you are looking for other helpful information, be sure to check out some of our other blogs. We offer information on everything from sales and real estate to marketing and more. We also post new blogs regularly, which means you will always find the latest and most updated information available.