By the Book: 10 Steps to Becoming HIPAA Compliant
The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect patient privacy. It applies to any organization that handles patients’ protected health information (PHI), including hospitals, doctors’ offices, long-term care facilities, health insurance companies, and many other actors. Ensuring compliance with HIPAA can create some frustrations, but it’s essential to protect patients from breaches of privacy and organizations from legal repercussions, so read on to find out about 10 ways to ensure compliance.
Protect PHI While In Transit
Patients’ PHI must be protected not just in the healthcare facility but while in transit to other providers. Organizations can ensure information security by switching to a hipaa compliant efax service and encrypting sensitive information sent via email and other digital means.
Document Privacy Policies
HIPAA’s regulations are intentionally vague. The Act is designed to be applicable to a wide variety of covered entities, so it’s up to those entities to adopt, implement, and document privacy and security policies. Organizations must also develop and document plans for what happens when breaches of HIPAA occur.
Appoint Dedicated Staff
Every healthcare facility or other covered entity should appoint a dedicated privacy officer and security officer. Both these tasks could be appointed to the same person, or they could be handled by different people. Just make sure the assigned staff member is intimately familiar with HIPAA regulations and requirements.
Conduct Risk Assessments
The best way to prevent data breaches is to conduct regular risk assessments to identify potential vulnerabilities before hackers do. If any vulnerabilities arise, they should be dealt with as quickly as possible.
Adopt Mobile Device Policies
Every healthcare facility should have strict policies in place governing the storage of PHI on mobile devices. If PHI is stored on mobile devices, the organization should regulate their removal from the premises.
Ongoing Training
All employees who are authorized to access or disclose PHI should receive ongoing training in HIPAA compliance. Participation in training sessions should be documented.
Notice of Privacy Practices
Publish and distribute a notice of privacy practices to all patients. Make sure each patient signs the notice to indicate they have received a copy and update it whenever the policies have been revised.
Implement Privacy Policies
Each healthcare facility or covered entity should have not just documented privacy policies, but also a documented plan for sanctioning employees who violate them. This plan should be easily implemented whenever an internal employee violates HIPAA regulations.
Document Breaches
HIPAA requires organizations that handle PHI to document every data breach. Organizations can perform risk assessment and risk of harm standard tests to determine whether breaches have occurred so they can investigate them and notify authorities immediately.
Secure Paperwork
Not all data breaches occur online. Physical copies of patients’ PHI also need to be protected. Never leave patient records unattended, and make sure to cover charts so the patients’ names are not visible. When not in use, paperwork containing PHI should be placed in a secure location.
The Bottom Line
Ensuring HIPAA compliance requires constant vigilance on the part of all employees working for healthcare organizations. In today’s technologically dependent world, many data breaches occur online while PHI is in transit, so organizations should focus on ensuring the security of online communications. They should not do so at the expense of in-person compliance, though, and should make sure all staff members receive ongoing training on how to protect sensitive information.