In our ongoing series on the Health Insurance Portability and Accountability Act (HIPAA), we have examined provisions of this sweeping act and what types of medical practices and ancillary businesses are affected. If your business relates in any way to HIPAA and patient information security, you need to know how to ensure your business is HIPAA-compliant.
Safeguarding the confidential use of protected health information (PHI) is a key element of HIPAA compliance for medical practices and ancillary business services. Here are primary areas all businesses should monitor to maintain HIPAA compliance standards and avoid paying fines for violation of government-mandated business practices.
Whether stored in servers or maintained in the cloud, patient information must be secured at all times in order for your business to be HIPAA-compliant. Implementing a full array of security measures is therefore a wise step to take, including everything from firewalls and email filters to the latest anti-virus and anti-phishing software.
Data encryption is highly advised to meet HIPAA guidelines—particularly when transmitting information over open networks. By adopting end-to-end encryption, you can minimize the liability to your business should information get “lost” or otherwise compromised.
To further ensure protection of data, it’s a good idea to conduct ongoing audits of your security measures. This helps uncover any areas of potential weakness, which you can then address and repair. This will benefit your business not only in HIPAA-compliance, but as a protective measure for all of your customers.
Work on anticipating any type of IT disasters. You should have a comprehensive data recovery plan in place, so as to minimize the potentially catastrophic effects of data loss due to a natural disaster, region-wide power outage or simple human error.
Employees and HIPAA Compliance
The people who work for you must be thoroughly aware of their own obligations when it comes to HIPAA compliance. If you haven’t done so already, begin implementing a series of training sessions on the use of PHI and processing HIPAA authorization forms. Don’t think of this training as a “one-time-only” event. Employees must learn how to incorporate security awareness into their daily routines and be periodically updated on any changes in HIPAA compliance policies.
Here are some additional guidelines to follow, particularly for employees charged with health care or health plan administrative responsibilities:
- Don’t access patient records without the patient’s written authorization.
- Don’t share protected information with anyone who doesn’t have access (co-workers, friends, etc.).
- Be discreet when discussing patient information within earshot of others.
- Restrict transmitting PHI by email unless no other means of transmission is available.
- When not being used, close any computer program that contains PHI.
- Employees with access to PHI should never share their passwords.
Business Associate Agreements
As noted in a previous post, “business associates” refers to an individual or organization who serves as a vendor or subcontractor with access to PHI. Examples include:
- Data transmission providers
- Data processing firms
- Data storage or document shredding companies
- Medical equipment companies
- Consultants hired for audits, coding reviews, etc.
- Electronic health information exchanges
- Medical transcription services
- External auditors or accountants
In order for your business or medical practice to be HIPAA-compliant, most vendors and subcontractors are required to sign a Business Associate Agreement (BAA). This agreement explicitly notes their willingness to comply with HIPAA privacy rules and rigorously protect all the data supplied to them. (The U.S. Department of Health and Human Services offers a sample BAA, with additional information and provisions.)
It’s in your own best interest to work only with business associates who are trained and up-to-date on HIPAA compliance guidelines.