Running a compliant medical care office requires that you know more than how to keep your patients physically safe.
You must also know how to protect their personal information – including details such as their social security number, financial information, and of course, personal medical records.
In 1996, HIPAA (The Health Insurance Portability Accountability Act) was enacted. HIPAA does two primary things:
- First, it helps employees to keep health insurance between jobs
- And, second, it makes healthcare offices and organizations responsible for protecting the private data of patients
For healthcare providers, HIPAA can feel a bit overwhelming. There are multiple regulations and requirements to meet in order to safely protect patient data. Furthermore, because the act deals with electronically-stored information, it can feel difficult to remain compliant in the ever-evolving digital landscape.
That’s why we’ve put together a 5-step guide to give you an overview of HIPAA – helping you to understand the “why” of this act, the basic areas of security that it covers, and starting points for HIPAA compliance.
Keep in mind that this guide is by no means comprehensive, but should give you a good start on helping your medical care office to becoming safe and compliant for both you and your patients.
Well then, let’s get started!
#1: Understanding the “Why” of HIPAA
As mentioned above, HIPAA was enacted in 1996, signed into law by Bill Clinton. HIPAA was groundbreaking because it established the first nationally-held standard for the protection of certain health information (PHI, or protected health information, or ePHI, electronic protected health information).
Under HIPAA, “covered entities” – such as medical providers or offices – are made responsible for the security of ePHI. The Office for Civil Rights (OCR) is responsible for making sure that covered entities meet HIPAA requirements.
Whew! That’s certainly a lot of acronyms to remember. The important thing to know is that as a medical office, you must take special care to protect the private data of your patients.
And while that may not seem incredibly complex, you should consider certain loopholes or gaps where information may slip through – such as social media accounts, emailing, casual conversations that happen between employees, and more.
Unfortunately, it’s actually quite easy to break a HIPAA regulation. If your office is caught breaking one of these rules, the consequences could be dire: huge fines, civil action lawsuits, or even criminal charges.
That’s why it’s so critical to make sure your bases are covered for meeting HIPAA requirements.
#2: Keep PHI Secure with Physical Safeguards
It may be easy to forget that there are actual physical entry points to your patients’ data, even if it’s stored electronically. It’s critical that you consider the physical surroundings of valuable storage points and who has access to those surroundings.
Control access to the healthcare facility
This includes access to both your medical office and remote server or data center, if you have one. Keep in mind that a range of people may be able to enter these facilities, including cleaners, engineers, repairmen, and building staff.
Consider the placement of your workstations
Remember that PHI may be visible from a workstation. That being said, strategically organize workstations – and entry points to those stations – so that PHI is kept safe and secure.
Don’t forget to regulate mobile access
If ePHI is made mobile-accessible to staff, put into place protocol for removing mobile access once the employee has left your organization, or the mobile phone is discarded or re-sold.
Keep an inventory of any hardware related to PHI. If you have a technician or special staff member who deals with office hardware, make sure they also take precautions to remain HIPAA-compliant.
#3: Implement Technical Safeguards for Maximum Security
Implementing technical safeguards is absolutely critical to ensuring the safety of ePHI. The most important aspect of this is data encryption – ensuring that once private patient information travels beyond the electronic barriers of your practice, the information is encrypted and unreadable by unwanted outside sources.
Establish protocol for each staff member with access to PHI.
Every user who has access to your electronic records must have a username and PIN.
Develop protocol for accessing PHI in the case of an emergency.
There may be cases where you need to quickly obtain the private information of a patient, but a staff member with access isn’t present at the office. Should this ever happen, you’ll need a plan to be able to rapidly access specific information in the case of an emergency.
Use encryption tools
As explained above, you’ll need to use encryption tools to protect the private information of your patients once it leaves your server. Likewise, this information needs to be decrypted once it reaches its destination.
Maintain activity logs
In order to track ePHI, you’ll need to keep a record of any activity performed on your patients’ data. This helps ensure that it doesn’t fall into the wrong hands, or get manipulated.
Set up automatic log-off
Any device that logs in to your EHR or EMR must automatically log off after a certain period of inactivity, helping secure information from unauthorized users.
#4: Develop Administrative Safeguards for Staff
When you may be hiring and re-hiring on a fairly consistent basis, it’s critical that you develop standard guidelines for training your employees on HIPAA. This also includes taking a look at what you’re already doing to assess risk.
Develop an ongoing risk assessment plan
In order to continue to meet HIPAA requirements, you’ll need to perform ongoing risk assessment of your facility. This includes identifying places where breaches could more easily occur.
Educate your staff on the absolute necessity of meeting HIPAA requirements. This includes helping them learn to identify possible breaches of privacy.
Enforce restricted third-party access.
In the case that your office should ever experience an emergency, develop a plan to make sure that the private data of your patients remains secure.
Creating a plan for emergencies.
If your office should ever experience an emergency, develop a plan to make sure that the private data of your patients remains secure.
Develop protocol for reporting incidents.
Once they are well-trained, your staff members may notice possible security breaches. Develop protocol for reporting these incidents.
#5: Use Secure Electronic Forms to Transfer Patient Data
One of the primary ways that the privacy of patient data is compromised is when information is transferred between your server and outside parties, such as the patients themselves, insurers, employers, schools, and other medical care providers.
For example, some medical offices may use email to transfer highly sensitive data to third parties. But email isn’t truly secure, and even using encryption within email poses its own problems.
However, using an electronic form system (such as IntakeQ) to collect the information of your patients and transfer it to other parties is a secure way of ensuring that the data doesn’t get lost, manipulated, or hacked.
Staying Secure: The Final Safeguard
In order to truly ensure that you are HIPAA compliant, it’s always best to hire an attorney or professional to help you cover your bases. But these steps should provide you with a basis of what you’ll need to implement at your office in order to protect your patients’ privacy, and your liability.